WA Government discovers dangerous data leakage

Stuart Corner
Monday, 31 March 2008 10:53

Your IT - Home IT

Following from the examination of second-hand computers, AGs selected a sample of seven government agencies to assess whether adequate computer disposal policies, procedures and methods were being used. The sample included the agencies identified during examination of second-hand computer hard drives. "None of the seven sampled agencies had comprehensive policies or procedures for secure removal of data from computer equipment prior to disposal," it reported. "While all agencies did have a process in place, it was either inadequate or was not applied consistently."

Four of the seven agencies were leasing computers from third-party service providers. Two of these agencies were relying on the third-party to remove data from disposed computer equipment. Three out of the seven agencies owned their computer equipment and were using authorised government contractors to dispose of their computer equipment. None of the agencies were conducting comprehensive reviews to ensure that the data was securely removed. Only one agency was in the process of setting up an assurance process.

The report notes that most hard drives have secure erase function when activated, purges hard drive contents. "Secure erase provides a similar level of protection as degaussing [demagnetising] while allowing future re-use of the hard drive....However some modern computers block secure erase as this function can be potentially disastrous for users if invoked accidentally or through malicious intent. Consequently it is hard to implement secure erase as a uniform method of data removal from hard drives."

It added that Government guidance on appropriate methods of removing data from computers prior to disposal was limited. "This has contributed to some agencies using methods that do not provide adequate security while others, arguably, exceed reasonable requirements. It is important for the agencies to select methods that provide sufficiently secure removal of data at an appropriate cost.

The State Records Office in consultation with the Office of e-Government is drafting guidelines to assist government agencies with implementation of best practices when disposing of hard drives and other electronic media.