The importance of being hung out to dry
I'm willing to bet that government agencies have a better grasp of USB policy and what to do before recycling PCs than commercial organisations have.
This morning I read about the Australian Taxation Office (ATO) in a report that the Australian National Audit Office (ANAO) had completed. According to the report, the ATO is apparently completely on top of USB use within the organisation.
From my colleague Michael's article:
The ATO was able to state that it had about 2500 USB devices, each of which were restricted to a specific brand that required biometrics to use. Additionally, staff had to apply to be issued with one, further keeping records of their use. In the case where private USB devices were introduced to the ATO's systems, its file transfer-monitoring system could also assist in identifying the user responsible for any unauthorised data transfer.
That's pretty impressive, isn't it? Does your firm have biometric USBs that you have to register to use? What happens if you plug in a USB to your console? Does the organisation find out who is responsible for "unauthorised data transfer"?
The other two agencies that were looked at in the audit didn't do so well, but, then, they weren't massive like the tax office. I mean, how many people work in IT at the Insolvency and Trustee Service Australia (ITSA) and Australian Hearing?
I'd also say that the same competency would apply for many government agencies that recycle their old PCs. In 2008, I wrote a story about a Western Australian audit report that investigated agencies re-selling PCs. From that article:
The auditor-general's office bought 19 second-hand PCs, which looked to be ex-government. Of those, 10 proved to be so. From four of the 10 hard drives, the team was able to retrieve information, some of it sensitive, including tax file numbers, salary information, superannuation information, home addresses, dates of birth, photos, personal emails, letters, resumes, performance reviews and contact details.
Three of the four computer hard drives found to contain sensitive information had been formatted, but this provided only a low level of security. The fourth seemed to have undergone no attempt to remove any data before it was disposed of.
This led the auditor-general to look at the computer-disposal policies of seven agencies, and found that three had no policy. This, of course, attracted scathing comments from the auditor-general, and many nasty articles in the press. But I'd bet that those agencies have a policy now, and will at least be thinking about deleting data from PCs before they dispose of them. I'm certain that this isn't the case for many commercial agencies, after spending a while following a comment thread about recycling PCs. Some of the comments on the thread showed that people hadn't even considered it, or had been relying on their IT department to do something about it, which had not occurred.
I personally wonder how these organisations would perform if they had the same type of audit that government agencies are subjected to.
So, tell me: how is data security in your organisation? Do you put your old PCs through a degausser? Are you watching the USB use in your firm? Or is everything just a bit laissez faire? How many of your organisations have deep-reaching audits like the ones that the government experiences?