Upload File

recycling more than your it equipment

2
RECYCLING only a negligible percentage of CPU resources, with zero impact on disk I/O. The sensor prevention capabilities are implemented using DDL triggers that optionally delay DDL and DCL state- ments for a few milliseconds, allowing the sensor to terminate the offending statements in time. Policy rules can be sent to such host- based sensors. The policy rules apply to types of SQL statements, database objects, time of day or day of the month, specific user profiles and the applications used. The action taken when the condi- tions of a rule are met can be as simple as logging an event, sending an alert to a security incident management system via SNMP, or an XML API, sending an email or SMS, terminating a user session to prevent malicious activity and even quarantining users. Conclusions Database security is a critical component of any information protection strategy. The technology required to monitor and block suspicious database activity has come a long way, and has evolved from native audit through network monitoring to ever-more sophisticated host-based sensors. With threats on the rise and technology maturing, now is the right time for organisations to seri- ously review the security protecting their database. About the author Sudha Iyer is the director of product manage- ment at LogLogic and focuses on database security and compliance solutions. Prior to this, she has held security and technol- ogy product management and engineering management positions at Adobe Systems and Oracle Corporation. Her focus in the last eight years has been on security and identity management solutions that help enterprises improve their security and manage risk and fraud effectively. She is a Certified Information Systems Security Professional and has an MBA from Santa Clara University. 8 Network Security November 2009 Unfortunately, when it comes to what happens to the ICT at the end of its useful life to the organisation, the story changes quite dramatically. What used to be an asset that was controlled and accounted for, and managed by a dedicated team of system managers and security staff, has suddenly become a liability that has no value and takes up valuable space. The underlying tenet of information security is that it has to be from the inception of the project, through its design and deployment, to its working life and its disposal. Most organisa- tions manage the middle bit reasonably well, but are poor at the early and last stages. How often in the procurement of a new system has the security been added either at the last minute, or retro-fitted? While we have to address the imple- mentation of security before (or in some cases shortly after) the system comes into service, the security of information that has accrued on the system during its working life is often overlooked when it comes to disposing of the equipment. There are a number of reasons for this. The first is that, as mentioned above, the computers (and the storage media they contain) have become a lia- bility. The second is that while system administrators and security staff were responsible for the systems while they were in use, once they become redun- dant they will often be passed over to the storesperson or logistics personnel until they are disposed of. It is unrealistic to expect that these members of staff will either have knowl- edge of the technology or where it has been used within the organisation. As a result, they are not likely to be aware of, or concerned about, the value of the data or the potential damage that would be caused were it to fall into the wrong hands. Legislation and data protection Laws and regulations require organisa- tions to take reasonable care of informa- tion of certain types, the most obvious being that which relates to people (Data Protection Act 1998). But the obvious legislation is merely the tip of the ice- berg. Other relevant legislation includes the Financial Services Act 1986, whose requirements include effective access con- trol plans (difficult if you are not in con- trol of the media). Then, depending on the sector an organisation is operating in, there is also likely to be additional sector- specific legislation and regulations such as the Basel II accord HIPPA, the California state law on disclosure, to comply with. “The consequences of business plans or intellectual property falling into the hands of a competitor could be disastrous” The people in charge of organisations also have a responsibility to their stake- Recycling more than your IT equipment Dr Andy Jones, BT These days, most organisations have well-documented policies for the procure- ment and the use of information and communications technologies (ICTs). In some organisations the policies are even kept up to date and distributed to the workforce, which enables them to comply with the requirements. Andy Jones

Upload: andy-jones

Post on 05-Jul-2016

213 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Recycling more than your IT equipment

RECYCLING

only a negligible percentage of CPU resources, with zero impact on disk I/O. The sensor prevention capabilities are implemented using DDL triggers that optionally delay DDL and DCL state-ments for a few milliseconds, allowing the sensor to terminate the offending statements in time.

Policy rules can be sent to such host-based sensors. The policy rules apply to types of SQL statements, database objects, time of day or day of the month, specific user profiles and the applications used. The action taken when the condi-tions of a rule are met can be as simple as logging an event, sending an alert to a security incident management system

via SNMP, or an XML API, sending an email or SMS, terminating a user session to prevent malicious activity and even quarantining users.

ConclusionsDatabase security is a critical component of any information protection strategy. The technology required to monitor and block suspicious database activity has come a long way, and has evolved from native audit through network monitoring to ever-more sophisticated host-based sensors. With threats on the rise and technology maturing, now is the right time for organisations to seri-

ously review the security protecting their database.

About the author

Sudha Iyer is the director of product manage-ment at LogLogic and focuses on database security and compliance solutions. Prior to this, she has held security and technol-ogy product management and engineering management positions at Adobe Systems and Oracle Corporation. Her focus in the last eight years has been on security and identity management solutions that help enterprises improve their security and manage risk and fraud effectively. She is a Certified Information Systems Security Professional and has an MBA from Santa Clara University.

8Network Security November 2009

Unfortunately, when it comes to what happens to the ICT at the end of its useful life to the organisation, the story changes quite dramatically. What used to be an asset that was controlled and accounted for, and managed by a dedicated team of system managers and security staff, has suddenly become a liability that has no value and takes up valuable space.

The underlying tenet of information security is that it has to be from the inception of the project, through its design and deployment, to its working life and its disposal. Most organisa-tions manage the middle bit reasonably well, but are poor at the early and last stages. How often in the procurement of a new system has the security been added either at the last minute, or retro-fitted?

While we have to address the imple-mentation of security before (or in some cases shortly after) the system comes into

service, the security of information that has accrued on the system during its working life is often overlooked when it comes to disposing of the equipment.

There are a number of reasons for this. The first is that, as mentioned above, the computers (and the storage media they contain) have become a lia-bility. The second is that while system administrators and security staff were responsible for the systems while they were in use, once they become redun-dant they will often be passed over to the storesperson or logistics personnel until they are disposed of.

It is unrealistic to expect that these members of staff will either have knowl-edge of the technology or where it has been used within the organisation. As a result, they are not likely to be aware of, or concerned about, the value of the data or the potential damage that would be caused were it to fall into the wrong hands.

Legislation and data protection

Laws and regulations require organisa-tions to take reasonable care of informa-tion of certain types, the most obvious being that which relates to people (Data Protection Act 1998). But the obvious legislation is merely the tip of the ice-berg. Other relevant legislation includes the Financial Services Act 1986, whose requirements include effective access con-trol plans (difficult if you are not in con-trol of the media). Then, depending on the sector an organisation is operating in, there is also likely to be additional sector-specific legislation and regulations such as the Basel II accord HIPPA, the California state law on disclosure, to comply with.

“The consequences of business plans or intellectual property falling into the hands of a competitor could be disastrous”

The people in charge of organisations also have a responsibility to their stake-

Recycling more than your IT equipmentDr Andy Jones, BT

These days, most organisations have well-documented policies for the procure-ment and the use of information and communications technologies (ICTs). In some organisations the policies are even kept up to date and distributed to the workforce, which enables them to comply with the requirements.

Andy Jones

Page 2: Recycling more than your IT equipment

RECYCLING

holders to ensure that business-related information is properly protected. The consequences of business plans or intel-lectual property falling into the hands of a competitor could be disastrous.

To support organisations and in an attempt to provide a common platform for information security, British and inter-national standards such as ISO 27001 have been created. These provide detailed and comprehensive guidance on steps that can be taken for the protection of infor-mation systems and the data they contain.

The question is why, with all of this guidance and support, do we still have such a high number of security breaches and failures to protect information? The answer is, in part, that to implement the measures outlined in such standards and to monitor their effectiveness is time-consuming and expensive. Many organisations neither have the resources nor are they willing to commit to them. The 2008 BERR Information Security Breaches Survey indicates that only 11% of organisations are actually compliant with the ISO 27001 standard.

If an organisation complies with the standards they will have an effec-tive security policy in place, and part of this will be for the disposal of the equipment at the end of its useful life. Unfortunately, a significant number of companies (45% according to the 2008 BERR Information Security Breaches survey) do not have security polices in place, and of the ones that do, many are dated, not effectively disseminated and do not contain the required information. Even if they do, people make mistakes, so if there no system in place to monitor the disposal of equipment and to check on any third party involved, the data leaks will continue.

Effective data disposalResearch carried out by BT in conjunc-tion with universities in the USA, the UK and Australia revealed that one of the main reasons for information being leaked was that the agreement with the third-party organisation contracted to dispose of the equipment was badly worded. The organisation disposing of the information believed they had specified that the third

party would ‘destroy’ any data. The third-party organisations, when questioned, felt that if they had been asked to do so, they had formatted the media.

The problem is that formatting a disk does not destroy the data effectively. On a formatted disk, while a casual check shows it to be empty, all of the data is still present and can be easily recovered. To properly wipe a disk so that data can-not be recovered is a time-consuming, resource-intensive task and carries a cost. The companies disposing of the equip-ment had failed in their responsibilities in two main areas. The first was that they had not specified in the contract the level to which the data was to be erased. The second was that having outsourced the task, they failed to check that the task had been carried out effectively. The level to which the media must be erased will depend on the sensitivity of the information contained within it, if this is known. In reality, a disk must be either physically destroyed or the data overwrit-ten a number of times using a recognised and tested tool such as Blancco, which is approved by the UK government.

Devices such as USB memory devices should be destroyed, as they have negli-gible intrinsic value and the cost of data erasure will be far higher than any recov-erable value. The issue of how to securely erase 3G phones and PDAs is more com-plex, as each stores data in a different way. Here a risk management decision must be made with regard to the risk versus the potential recoverable value, but it will probably be sensible, if not environmen-tally friendly, to physically destroy them.

One way the problem of tracking disks could be solved is if they were recorded and accounted for, and this may be a viable option for disks that contain the most sensitive of data. Unfortunately, this would impose an additional cost and would be difficult to manage, as the disks are buried in the depths of the computer. It would be far simpler to ensure that the processes and procedures that should be in place are working effectively and as intended. Following through on the processes organisations have for the tracking of the assets while they are in service through to the final stage of their disposal would cause lit-

tle additional effort and, in reality, the resources should already be available to undertake this work.

The disposal of ICT and the disks they contain need not be a problem, and most organisations already have pro-cedures in place. The process is flawed because the selection of the third party to dispose of the equipment and the contractual relationship with it has not been well managed and monitored.

“The responsibility for the data on redundant ICT equipment remains with the organisation disposing of it”

There are a number of third-party recycling and disposal companies in the UK that carry out work for government departments and industry. They have well-documented procedures that oper-ate to the relevant standards that will guarantee the safe disposal of data. They maintain records of a quality that will let any customer track the actions taken and the disposition of the ICT items or the disks. The best way to choose a company is as you would any other supplier: you find out which companies are commit-ted to processes and procedures that meet your corporate need and which have a good reputation. One example is SIMS Life Cycle Services, which has a massive recycling facility in South Wales and has been committed to developing reliable process for a considerable time.

Even when you have chosen a reliable third party and put in place a well-worded contract that specifies the level of data erasure you require, your responsibilities do not end there. You must still check that the processes have been effective, which will probably take the form of random sam-pling of disks that have been cleaned.

The responsibility for the data on redundant ICT equipment remains with the organisation disposing of it, until they can demonstrate that they have ‘taken all reasonable measures’ to ensure its protec-tion, which includes its destruction.

About the author

Dr Andy Jones is head of information security research, BT and is currently on sabbatical at Khalifa University in Sharjah, UAE

November 2009 Network Security9


Cold Asphalt Recycling for a Sustainable Future · Pavement Recycling Systems, Inc. Cold In-Place Recycling Cold In-Place Recycling (CIR) – an on-site process using a train of equipment

Stony Brook University Scientific Equipment Reuse Program New York State Association for Reduction, Reuse and Recycling Annual Recycling Conference 2015

MACH BALLISTIC - Waste & Recycling Equipment Manufacturer

Plastic Media Blasting Recycling Equipment Study · 2011-10-11 · PLASTIC MEDIA BLASTING RECYCLING EQUIPMENT STUDY EXECUTIVE SUMMARY Plastic Media Blasting (PMB) is a new technology

Tire Recycling Equipment Manufacturing

Resource Conservation: Waste More than just recycling

Guide to Starting Collection & Recycling For Lighting Equipment · 2015-06-01 · Guide to Starting Collection & Recycling For Lighting Equipment Andrew Brookie ... producers to set

EXECUTIVE SUMMARY: Electronics Recycling and … SUMMARY: Electronics Recycling and E-Waste Issues Recycling and Responsible Disposal of Consumer Electronics, Computer Equipment, Mobile

Acer LCD Monitor · IT Equipment Recycling Information Acer is strongly committed to environmental protection and views recycling, in the form of salvaging and disposal of used equipment,

GRANULATOR / STORAGE / RECYCLING SYSTEMS / CONTROL RECYCLING · > RPP page 26 > Hot gas generator ... higher than the number of newly built roads. RECYCLING ... Recycling legislation

Recycling and disposal of electronic waste ISBN 978 …...... (WHO / global) ICER Industry Council for Electronic Equipment Recycling ... PC-board Printed circuit board ... Recycling

Re-usable kegs Equipment Traceability Recycling - Odoo S.A

MACH OCC - Waste & Recycling Equipment Manufacturer

IT-RE / E-waste / Recycling IT Hardware and Equipment

Cold-In-Place Recycling - ROADTEC, INC.€¦ · Advantages Cold-In-Place-Recycling: Cost-Effective & Environment-Friendly Roadtec cold-in-place recycling (CIR) equipment makes it

ELECTRONIC RECYCLING ELECTRONIC EQUIPMENT RECYCLING WEB CONFERENCING RECYCLED TONER CARTRIDGES

RB HAIGH STRENGTHENS RECYCLING EQUIPMENT LINE-UP …

Design Guide for Container Recycling Equipment and Facilities …€¦ · recycling equipment are well maintained, provide a reliable facility for the collection of empty drink containers

Three Reasons Why You Should Consider Recycling Your Old IT Equipment

Fluid Recycling Equipment w

Promotion of Recycling and Proper Disposal (Electrical ... · Promotion of Recycling and Proper Disposal (Electrical Equipment and Electronic Equipment) (Amendment) Bill 2015 . This

Vibratory Equipment for the Recycling Industry

The Equipment Source for the Recycling Industry

Waste Electrical & Electronic Equipment Recycling

What is industrial Equipment Recycling

The Different Types of Industrial Recycling Equipment

Recycling OT equipment Caroline Petley, May 2013

Eco Expo Asia 26 - 29/10/2011E. Oil recycling technology and equipment!"#$%& F. Waste electrical and electronic equipment treatment and recycling systems!"#$%&'()* PRODUCT LISTING

GLOBAL RECYCLING EQUIPMENT SINCE 1966 WITH THE EIDAL SHREDDER LINE

IRVINE SUMMER 2016 RECYCLING NEWS - Waste … · IRVINE • SUMMER 2016 RECYCLING NEWS ... recycling loads. • Individual plastic bags break down recycling equipment; ... starter,

Equipment Wash Water Recycling System Development

GLOBAL RECYCLING EQUIPMENT - Shredderhotline.com PNEUenglish_mail.pdf · Although the Shredders involved with the Burda Group and Global Recycling Equipment and Shredderhotline.com

DEM-CON MRF - Waste Recycling Equipment … · DEM-CON MRF 2015 Excellence Recycling Systems Award Entry ... MRF’s. This project gained momentum quickly, ... Dem-Con Recycling Dem-Con

Electronics Recycling: More than just a slogan

Scrap Processing & Recycling Equipment - Kiesel · 2018-02-18 · Scrap Processing & Recycling Equipment Mobile shear baler combinations ... and the Sierra mobile equipment range