introduction to ADISA

Transcription

1 introduction to ADISA 1

2 foreword Changes in technology and increasing user demands has seen business IT infrastructure evolve in ways which 10 years ago would have been unimaginable. With this progression IT departments have evolved from simple break/ fix helplines to now being multi-faceted teams whose integration with the business leads to innovation and competitive advantage. And yet one of the oldest IT processes has not evolved at the same pace asset retirement/disposal. contents Foreword 3 The Importance of IT Asset Disposal 4 ADISA s view on IT Asset Disposal 6 Introduction to ADISA 7 The ADISA Strategy to achieve our mission? 7 Phase 1 Industry Regulation through ADISA Certification 7 Phase 2 Promote and Professionalise 8 Phase 3 Empowering the End User 8 About ADISA ITAD certification. 9 What are the benefits for business users in using an ADISA certified company? 9 The ADISA Monitoring Service 10 To find out more about ADISA 11 Many businesses today still view infrastructure that they have finished with, or which is broken, as waste. In many instances this equipment may correctly end up in the waste stream but in many other scenarios equipment is repaired or simply sold for re-use. Whichever route the equipment takes the data, which is resident on that equipment, must be dealt with not only to comply with legislation but also to protect company IP and reputation. Too many businesses seem to forget that in order to protect their data they need to consider the full data lifecycle, which only ends at the point when that data in no longer available. Furthermore they need to understand that data now sits in a wider variety of places than before, and most importantly on many different types of media. With a growing environmental, corporate and social responsibility (CSR) agenda many businesses now have a desire to promote reuse, but without risk to data or to propagating illegal trade in e-waste. However, there is general confusion as to how best to achieve this. Many policies are flawed, which means the very building blocks of a controlled process are unsafe. Many service providers are selected not on a service based criteria but purely on commercial reasons. This has led to the business process of IT asset disposal being commoditized and all too often treated as someone else s problem. The industry itself adds to this malaise as it has developed into a sector which is replete with businesses that offer inaccurate information, poor quality services and who have an appetite to buy business through pricing structures which are unsustainable. The service providers who operate high quality services are often compared, unfairly, with those who offer inferior and less secure processes. So with poorly informed clients and a highly competitive industry the whole process of asset disposal is often perceived as being a service which doesn t require much diligence, which isn t very important or which anyone can do. Yet with increasing data protection/privacy legislation smart end users are understanding that they have to protect data up until the very point it is no longer available. This means controlling their downstream processors through contracts and policies and being prescriptive about what happens to their infrastructure. And yet we still find companies making headlines for data lost as a result of poor disposal or being fined by industry regulators So what are the issues? Why do companies get a process, which at face value is so simple, so wrong? This brochure introduces you to the world of IT asset disposal and to the Asset Disposal and Information Security Alliance (ADISA). Yours sincerely, John Sutton and Steve Mellings Founders of ADISA 2 3

3 The importance of IT asset disposal There are almost daily headlines identifying data loss or breach. Whether it is by accident, wilful neglect or proactive attack, our press relish the chance of taking a household brand to task about being careless with our data. The legislators are beginning to show intent in bringing business into line and internationally regulators are working together to bring Data Protection and privacy issues to the C level agenda. In Europe there are changes going through to the EU Data Protection Law, which are eye-watering in the potential action that can be applied to companies who fail to address their legal requirements. In the US legislation which was fragmented is beginning to be brought together and the lobbying against the EU changes shows that there is far more willingness to try to forge consistent and sensible global data regulation. In addition to regulation, data is a sought after commodity, not only by foreign governments or journalists, but also by competitors and those seeking to gain advantage. For most businesses they protect theirs asset and information well when directly under their control. They achieve this by deploying a range of security countermeasures to deter and defend from attacks, which generally can be grouped into two areas. Physical Perhaps the oldest type of attack is to actually gain access to the media on which the data resides. Viewed as a somewhat agricultural means of attack it is however a recurring issue, either through insider compliance, speculative access or more targeted attacks. A break-in to steal assets or an attack on an individual are generally mitigated through physical barriers, access control and/or encryption. Technical Electronic warfare has evolved into Cyber warfare in the last few years and this has raised the profile of technical attacks to the front page of newspapers. Distributed Denial of Service (DDoS) attacks are perhaps the most widely recognised form of cyber warfare. These are not specifically designed to capture data but generally impact an organisations ability to communicate, trade and present itself in the public domain. Hacking is a term used to cover many parts of Cybercrime and is often the cause of widespread data compromises intended to acquire information for nefarious uses. The complex world of network security and encryption are general means of protecting against this form of attack and penetration testing is a means of assessing where any vulnerability lies. However a third area of security, which is essential to protect the very same information that resides on the network is often overlooked, IT Asset Disposal. It would seem strange to vigorously protect data on the network and yet when displaced or broken equipment is released it is often dealt with in an ad-hoc manner or with little central policy to control these activities. Those companies providing services in this area are often viewed as simply being the IT Dustmen and internal perception of this activity is that it is simply waste management. A failure to see these assets as more than just the physical asset and to be able to address the data and software issues leads to internal questions such as, Who do we use? What do we do? and What is our policy? failing to be answered with any real confidence. This uncertainty has led to a growing increase in the demand for the physical destruction of the data carrying media, which, whilst meeting security in a practical sense, doesn t address all areas where businesses release assets nor all types of asset and so only solves part of the problem. Data is now stored in a myriad of different places and with the advent of changes within the type and location of infrastructure, such as Cloud and Bring Your Own Device, a single destruction process won t cover every vulnerability. Furthermore, with constrained budgets and a greater environmental awareness, a maturing asset disposal policy needs to promote re-use rather than to simply opt for destruction. Technology has changed dramatically in the last decade and yet attitudes to disposal have not. Asset disposal, in the opinion of ADISA, is an evolving and important business process which when controlled through an intelligent asset disposal policy can manage risk and promote reuse and therefore create both financial and social benefits. The most valuable commodity I know of is information. - Gordon Gekko, Wall Street (1987) 4 5

4 ADISA s view on IT Asset Disposal Introduction to ADISA ADISA believes that the business process of IT and Telecommunications disposal is a crucial part of the overall information security effort. To help scope this business process ADISA has defined this as: Any situation where the data controller transfers custody of an IT asset to a third party for management or processing, whether on a temporary or permanent basis. Figure 1, whilst not exhaustive, shows different product sets, all of which hold data, and beneath them, different potential avenues out of the business. It is clear to see that a policy which says, We shred hard drives or We wipe all our hard drives doesn t cover all of these avenues and so only manages part of the risk. It can therefore be seen that the overall security policy needs to control these outputs and approve actions to sanitise the data on each of these outputs, which meets the overall appetite for risk. Where does your data go? Also in many organisations different departments manage these processes and so a cohesive approach to disposal is required to ensure all outputs are managed to meet the organisation s overall security policy. In many sophisticated businesses, who owns the infrastructure and also who operates it might actually not be the company legally responsible for the data. In outsourcing agreements, who performs the disposal service may not be clear as Tier two and three suppliers are often introduced into a complex supply chain. To summarise; IT and Telecommunications disposal needs to be viewed not as a waste stream (albeit that waste is a by-product) but as an extension of the in-life asset and information security policy. Business end users need to control each business output not only through internal policy but also strong external control. Unless this approach is embraced then there is a clear vulnerability as control over assets and therefore data is lost. ADISA was launched into the UK in 2010 to address this information security blind spot. Founded by John Sutton (Former policy developer at CESG and author of Information Assurance Standard 5) and Steve Mellings, ADISA is a group of leading experts in the area of risk management, compliance and data protection within IT Asset Disposal. ADISA s Mission Statement is: To promote IT asset disposal/recovery as a professional IT Security discipline and to improve understanding and expertise of all those who participate within this business process. The ADISA Strategy to achieve our mission? Change has to come from evolution rather than revolution and ADISA s role is to merely act as a catalyst for improvement. To achieve this we are adopting a three-phase approach. Phase 1 Industry Regulation through ADISA Certification ADISA (UK) developed, launched and has achieved widespread adoption of an ITAD standard, which focuses on the security of the asset throughout the recovery and sanitisation process. With over 30 companies in the UK holding certified status and members now in Greece, Netherlands and the USA the programme has real momentum. The main audits are performed either by ADISA consultants or more preferably by independent auditors. This is supported by unannounced audits that include full forensics on 10 products which have been processed. This will be on a mix of technology and different media types to ensure that data is being sanitised correctly on all types of equipment. The Mission of the Standard is: To ensure that each and every asset is managed professionally and that any resident data is sanitised in accordance with the client s requirements or with current industry best practice. The objectives of the standard are: To create an environment within the ITAD process which offers equivalent levels of security to those in place when the asset is in its live environment. To test the ITAD on all aspects of their management of that process to ensure that the process is delivered in a consistent way. To ensure that the sanitisation of the data has been done in accordance with independently verified tools/or following current best practice. To offer the end user confidence that those companies who are ADISA certified are both professional and ethical organisations. The Standard has been formally recognised by DIPCOG, a CESG and MOD committee, as being an industry standard of merit. DIPCOG In response to requests from industry, ADISA has also developed versions of the Standard, which are specific for logistics, leasing and data centre organisations. These are being tested in 2013 and will be publicly released during late 2013 or early Figure 1. This is not prescriptive but gives an idea of potential routes, which assets can take from a business. (NB: Printers and Multi-Function Devices are missing.) 6 7

5 Phase 2 Promote and Professionalise It is essential that the business process of IT asset disposal is repositioned and that can only be achieved through education and promotion. Since launching ADISA has presented to over 1,000 people and over 500 companies in the UK and Europe and will continue to run a full seminar programme alongside our members to help end users become aux fait with the subtle nuances of asset disposal. ADISA also launched into the UK a hard copy magazine, which has a subscription of over 2,800 end user professionals and in 2014 this will be launched as an e-magazine into North America and Australia. This magazine is used to help cascade the educational message about challenges within disposal and make recommendations as to how to overcome them. In conjunction with the University of South Wales, ADISA runs a formal training course for the industry entitled ADISA Certified Practitioner. This course is aimed at sales staff within the industry to ensure that their sector knowledge is firstly correct, but also that they have the skills to understand their client s issues to enable them to approach the sale in a consultative way. Too many companies sell services because it is what they can deliver rather than being the best option for their customers. This course will give our graduates confidence to act as subject matter experts with their customers and deliver the service that best fits each client. This course will be available as an on-line training programme in Phase 3 Empowering the End User In June 2013, in conjunction with the University of South Wales, ADISA launched a formal training course for end users. This course, entitled ADISA Certified Professional, is a two-day residential course culminating in an exam, which has the objective of empowering end user professionals to better understand the issues within disposal and to give them the building blocks to write proper policy. ADISA also has two end user products; one called AD Test and the second the ADISA Disposal Framework. (ADF) The AD Test is equivalent to penetration testing for network security and reviews all aspects of the disposal process from policy and contract, which may be in place, through to physical security throughout the process and then into forensic assurance using our forensic partners. The ADF is a 10-phase framework, which data controllers can follow to write and implement proper policy. It promotes asset re-use through a risk-based assessment, which is underpinned by scientific evidence again from our forensic partners IT asset disposal is a business process which is maturing and growing in importance as it moves away from Waste Management and into being perceived as a genuine IT security service. ADISA hopes to help all parties improve their understanding and expertise in this sector so overall performance is raised and the sector gets acknowledged for excellence in the field of security. About ADISA ITAD certification The ADISA IT Asset Disposal Standard, which focuses on the security aspects of IT and Telecommunication asset recovery, has quickly become a key requirement in the UK for those businesses seeking to find service providers who offer secure asset recovery and re-use. In 2013 the Standard was formally recognised by a UK MoD and CESG committee called DIPCOG and is being built into UK central government procurement strategy for Based on a modular approach, the Standard looks at all aspects from a risk based perspective offering end users confidence that companies that hold the certification have been independently assessed. The audit process is being further enhanced in 2013 with the introduction of twice a year unannounced audits which will include forensic testing as part of the routine checks being made. In addition, the information being published on the ADISA website about our members is being expanded in the fourth quarter of 2013 to allow end users to view potential suppliers in more detail before making contact with them. This will include validated statements of data sanitisation capability for each company. The programme is being formally launching into North America in 2013 and the Asia Pacific Region in What are the benefits for business users in using an ADISA certified company? The most crucial benefit for end users in regard to the Standard is that it helps them narrow down the search for a supplier from the huge number of competing companies. This helps the sourcing process change from being blind scattergun to be a more controlled process. Those companies holding ADISA certification show that they have exposed their businesses to an intrusive assessment, which is independent from them. It is crucial to note that ADISA is NOT a trade association owned by its members. It is independent from certified members and therefore operates to protect the programme as a whole rather than represent a singular or group of members best interests. As means of evidence ADISA has removed permanently companies who fail to meet the criteria on a consistent basis and have also refused certification on companies where questionable business processes have been identified. The programme is not so much, pay your money and get the badge, it s about businesses in an industry being as transparent and open as they can possibly be when meeting a published set of criteria. Perhaps the most measurable benefit of using a certified service is the free of charge monitoring service, which is detailed below

6 The ADISA Monitoring Service ADISA IT Disposal Standard is recognised by DIPCOG As part of the ADISA certification process each certified member has a number of audits to firstly achieve certified status but then to maintain it. Issues that arise from these audits can often lead to a change in their certified status and in the worst possible case the certified status being withdrawn. As such to help end users ADISA offers, free of charge, a monitoring service that will automatically send those subscribers updates of changes to the ITAD s status with ADISA. Updates will be sent for any of these reasons: Any change in certified status both positive (improvement) or negative (audit failure). Any new services, which have now been added to the ITAD s certified status. Any change in credit status. If they have decided to leave the programme for other reasons. It is essential to clarify the reasons to ensure no reputation damage to the ITAD. The results of any incident reports which may have been undertaken. Any business changes such as takeover/merger etc. To ensure fair play any company who signs up for this service will have their contact details forwarded to the ITAD in question. The ITAD will then approve or query the reason for being monitored. They can do this by contacting the person making the monitoring request such that they can understand the business reason for it. Upon agreement from the ITAD the person will be added to the monitoring list and will automatically get copies of all monitoring notices which are issued. This monitoring service also allows the end users to receive copies of the audit documents including all annotations which can help them be assured that their ADISA certified partner is best of breed in the world of IT Asset Disposal. The Defence InfoSec Product Co-Operation Group UK (DIPCOG) is a UK Ministry of Defence forum run by a committee composed of representatives primarily from the MoD and CESG. DIPCOG approves products and services as being suitable for use by the UK MoD but is used by a number of other HMG central departments as a mark to identify service or product quality. In 2013 DIPCOG formally recognised the ADISA ITAD Standard as being an industry Standard of merit. To read more visit To find out more about ADISA To download the Standard relevant to your region or to find out more about ADISA visit our websites at:

7 Rev