The NYS Department of State got a clean bill of health from the state’s Office of the State Comptroller in an audit of their disposal of electronic devices containing personal, private, and sensitive information. The report was issued May 13:
Department of State
Disposal of Electronic Devices (Issued 05/13/13)
Purpose
To determine if electronic devices being surplused by the Department of State had been permanently cleaned of all personal, private and sensitive information, and also whether the Department had developed formal processes to minimize the risk of unauthorized disclosure of such information when disposing of such equipment. The audit covers the period June 1, 2012 to October 10, 2012.
Background
Office of Cyber Security Policy P03-002 requires all State entities to establish formal processes to address the risk that personal, private or sensitive information may be improperly disclosed. One way information can be compromised is through careless disposal or re-use of electronic devices. Personal computers, tablets and smart phones pose a particular concern because they can easily be returned to the manufacturer or sold to the public while still containing private information. The Policy therefore requires that all electronic media (e.g. hard drives and other memory components) in these devices be securely overwritten or physically destroyed to prevent the unauthorized disclosure of sensitive information.
Key Findings
- Our analysis showed the Department’s policies and procedures for preparing devices for surplus were appropriate to minimize the risk that sensitive information may be inappropriately disclosed.
- We tested 218 electronic devices that had been readied for surplus to determine if these policies and procedures were followed and found only one device that contained readable data. This information was not personal, private or sensitive in nature.
- Because the Department utilizes OGS to surplus excess equipment and OGS has recently issued a directive requiring that all surplus computers have the hard drives removed and shredded, this will no longer be an issue.
Key Recommendations
- Implement the Office of General Services’ recently released policy and procedure for removing memory components from surplus electronic devices.