NASA Audit Underscores Need for Secure Disposal of IT Equipment

According to Blancco, the company in data erasure and end-of-lifecycle solutions revealed its audit report by a NASA Inspector General (IG). This report highlights the importance of a secure end-of-service policy and practices related to information technology (IT) equipment.

The audit revealed shortcomings in sanitization and disposal processes for electronic media that led to release of 10 computers slated for resale, nine of which may have contained sensitive Space Shuttle-related data.  These findings prompted the IG to recommend stricter procedures, including a recommendation that requires a separate, offline verification sampling of excess IT equipment to ensure data is gone, a very costly process in certain situations.

According to the press release, the IG's report identified that the four NASA centers under review either failed to verify data removal, did not notify managers when computers contained data after verification testing, used unapproved sanitization software, or used approved software for sanitization that did not verify erasure status, such as freeware and firmware-based tools.

Markku Willgren, president of U.S. Operations for Blancco, said that while the IG recommends offline verification testing for 20 percent of media slated for reuse or disposal, in practice this methodology requires manual labor and is often cost prohibitive, especially when a high sampling rate is involved, rather than sampling just a percentage of devices after the fact in an offline mode, for complete security, organizations need failsafe, auditable processes that can thoroughly erase 100 percent of data from all decommissioned computers, and also log results for each computer before it is disposed and leaves the premises.

He added that these processes should utilize networked tools that not only erase multiple drives at once, but also log detailed erasure results for each computer and report them to a central database in an online mode. To address issues raised by the IG and implement secure end-of-service processes, Willgren suggests implementation failsafe end-of-service policy, a computer generated verification report for every sanitized hard drive, a certified data erasure tool, and contractors to perform a sample offline recovery attempt.