CAS-S: Managing Public Sector Data Security: Mitigating Risk at Point of Disposal

Nearly 70% of data breaches occur after a computer is discarded. The National Audit Office reported that the UK public sector spent £6.9 billion in 2011/12 on its ICT infrastructure, including procurement, law enforcement, maintenance, cyber defence, firewall protection, network monitoring and staff education. Perhaps some of that budget was allocated to disposing used assets. Data breaches that occurring after this disposal assets are often overlooked or not adequately budgeted for.

To complicate matters, sensitive information may be recorded or present in the most unobvious places such as in copiers, scanners, fax machines or even, at times, off the coast of Suffolk. With sensitive information owned by UK’s public sector, enhanced data security is clear priority.

We’ve seen a staggering number of prominent data breaches this year, many of them victimising the public sector organisations such as the NHS, DWP, MOJ, Local Councils and even primary schools. Software-based hacking, digital attacks and insider data thefts form majority of the data breaches that do not go un-tackled, but this does not seem to be the case on the physical security of data-bearing hardware.

Data is classified under three key streams by HM government. “Official” data comprises classified information used by government organisations regularly. This includes data on public finances, public safety, some aspects of defence and IP, citizens’ personal information. Though possessing a limited threat profile, Official data can have damaging consequences if lost, stolen or published. “Secret” data includes valuable security or intelligence data or sensitive economic data. It’s loss could potentially compromise military capabilities, international relations or the investigation of serious organised crime Exceptionally sensitive government information is classified as “Top Secret”, the compromise of which could cause widespread loss of life or threaten the security and/or economic wellbeing of the UK or friendly nations.

ICT assets containing these data streams follow the rules set by Communications-Electronics Security Group (CESG) for the secure data sanitisation and thereafter, disposal. Only a CESG Assured Services (CAS) certified IT Asset Disposition partner can handle the secure data sanitisation operations using security-cleared staff, secure logistical networks and a highly secure UK processing facility. For example, a typical data-bearing asset (such as a Hard-Drive) has to be data-wiped and overwritten with random data in case it was previously used in an “Official” environment, but has to be degaussed and shredded down to 6mm if it was used in more secure environments. RAM, on the other hand, is mandated by the CESG to be powered-off and then overwritten if used at more secure environments.

The CESG does not prohibit the re-use of some types of assets, provided they are redeployed in a similar or more secure environment after being securely data wiped. This provision within the rules allows asset management companies to offer a circular economy which enables a “return” to the organisation, in terms of potential resale or to the environment, in terms of resource recovery through sustainable recycling.

Learn more about how Sims Recycling Solutions, a CAS-S certified operator, can help you with the secure data sanitisation and disposal of public sector data. Visit us at Stand 3 at the GovSec seminar on 29 September 2015, where we will discuss risks opportunities within such a service stream.