-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
US Dept of Energy Loses 20 Classified PC’s
Written on April 12, 2007
Leave a Comment
|
Yes, 14 of the machines apparently had classified information and it’s suspected that the other six did as well. And this isn’t the first time the DOE has had reporting disappearing machines. According to the article, 269 computers were reported vanished from the Idaho National Laboratory and in 2005 an Apple G4, with its hard drive intact, was discarded by Los Alamos. In fact, according to the article:
In the past four years, audits have found more than 10 incidents of lost
computers that had been used in designing, building, managing, or administering
nuclear technology.
Excuse me – what?
It is amazing to me that the Department of Energy, an agency responsible for the nation’s nuclear program and for protecting classified information from espionage by foreign states, cannot perform basic asset management let alone follow their own NIST guidelines for asset retirement and media sanitization.
A couple of thoughts on this topic for small business – so that you can perform stronger asset management techniques than our nuclear laboratories:
1. Serialize every PC, laptop, or digital device. Although this used to be common practice when such assets were considered capital, every authorized piece of equipment in your technical inventory should have a unique identifier.
2. Manage the unique identifiers in a database. This could be QuickBooks, Access, even Excel. Delegate this task to your IT administrator.
3. In the dbase, indicate the PO number and vendor from where the asset came.
4. As assets are removed from production, update the database. Do not delete the entry, simply indicate that the asset was retired.
In this way, we can manage a complete chain of custody: from purchase, through use and disposition. The company could have a reasonable chain of custody and perview of production assets, and a more thorough database could even help with budget forecasting when it comes to asset replacement.
In terms of data disposition, take nothing for granted:
1. Most states have regulations concerning electronic equipment and landfills; you must recycle the equipment through appropriate channels. Use these channels.
2. Totally remove the hard disk, if possible. If you want to thoroughly prevent the use of the hard drive, take the drive into an appropriate space, grab a hammer, and smash it repetitively. Not only is this thereputic but it will render the drive totally worthless. Other authors actually recommend taking a jigsaw and drilling four holes into the platters at 90-degree angles; I think the hammer is more efficient and equally effective.
3. If the retired asset is a thumb drive or other form of digital media (a sim card), again – use the patented hammer method.
4. If the retired asset is being recycled for use, consult a technology professional so that they may perform zero-fill formats and degausing on the equipment to lower the potential risk of data remenance.
5. And once an asset is retired, indicate in the database when it was disposed of, how it was disposed, and maintain a receipt from the agency/technician who did the work.
In terms of best practices, the small business can now say – with a significant degree of confidence – that it knows where its assets came from and where they went; which assets are in circulation and which ones are inactive; how they were disposed of and how their memory was sanitized as to avoid data remanence.
Yes, you, too, can practice a level of IT Governance thorugh using a simple process that, seemingly, our national nuclear scientists have difficulty doing.