Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Policy on electronic equipment decommissioning and re-purposing

from [Fred Cohen] Network Security [Permanent Link]
Subject: Re: Policy on electronic equipment decommissioning and re-purposing
Date: Mon, 28 Nov 2005 21:55:39 -0800 
On Nov 22, 2005, at 12:58 PM, Dora Mandadjiev wrote:

Hello,

I am writing a policy on equipment decommissioning and re-purposing and I would like some help on:

1. best practices from data security perspective (use of erasure tools for different platforms esp. CISCO, different firewalls (devices), etc.)
Best practices is not really the right term here. There are different practices meant to deal with different circumstances depending on cost and criticality of content for different objectives. There are then about 5 basic classes of techniques for destruction which are effective at different surety levels, and they can be applied with different specific technologies depending on platform and media type for different costs. They are briefly covered in the CISO ToolKit books and covered in more detail in our internal "Security Decisions" work-ups that we use in consulting engagement.

2. legal considerations (i.e., environmental laws regarding disposal of electronic equipment, etc. others that I may not have thought about) in the US and in Europe (UK and Germany)
The legal considerations are also rather complex depending on jurisdictions, media types, processes being used, and requirements for retention and destruction. It's not just disposal but data retention and destruction requirements.

Pointers to good sample policies is also appreciated.
Policies are not the best way to handle this. Generally, policies should be broad, generic, wide-ranging, and not change very much of very often. Control standards are more likely the desired place for specifying such specifics while procedures are then used for specifics of reach system. The policy can be rather simple - follow the laws - retain and destroy according to legal first, then contractual, then organizational, then convenience and cost - following control standards (name standards document that applies). This then lasts more or less forever as a policy while the control standards change more often and the procedures they refer to might be identified for each new piece of equipment used in certain classes of applications..

Thanks!


Of course if you are small enough then you can bypass a lot of this because you only have a relatively limited set of circumstances.

FC
-- This communication is confidential to the parties it is intended to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
Security Management Partners policygeeks.com Livermore, CA 94550

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Security Management Resources, Rafael San Miguel Carrasco
Previous by Thread:  Policy on electronic equipment decommissioning and re-purposing, Dora Mandadjiev
Next by Thread:  Security Management Resources, Rafael San Miguel Carrasco
Indexes:  [Date] [Thread] [Top] [All Lists]