Vendor Integrity? | Known and Unknown Risk? | At the end of the day who is responsible?
In a world of seemingly unmanageable risk, security analysts and risk managers often look to the supply chain as a possible area of weakness. Often times the goals of procurement teams are centered on financial strategies or budget requirements and are not always in-line with risk mitigation. As a ‘security veteran’, I believe the basic formula for success is divided into 2 areas: “Known Risk” and “Unknown Risk”. In the current world of IT, many Fortune 100 Companies have multiple vendors supporting and managing their platforms, enterprise standards, and processes. Unfortunately, many of these vendors do not share the known risks of organizations and some even open the organization to additional unknown risks. This leaves businesses vulnerable to disaster.
As companies look to mitigate their security risks, they’ll need to ask themselves several questions about their known and unknown risks as they relate to potential IT Asset Disposition (ITAD) vendors.
What are the known risks from your vendor’s perspective? Do your known risks align with those of your vendors? Are your vendors mitigating your known risks? Are you gaining more insight to your unknown risks through your vendors? Or are your vendors putting you at increased unknown risk?
The strategy for IT Asset Disposition (ITAD) vendors can be very broad. Because these ITAD vendors stem from different industries, many of them carry unknown risks. In addition to the company’s identified known risks, corporations should familiarize themselves with the unknown risks that exist within each type of ITAD vendor.
The first type of ITAD vendor is the e-recyclers. These vendors hold knowledge and background in reclamation and commodities. They are focused primarily on the value of recycling the original materials and commodities. This type of ITAD vendor generally offers the lowest cost solution and will often provide their client some residual value for their scrap. However, their collection process and transportation practices carry the unknown risks through failing to provide the proper chain of custody, security, and asset tracking that guarantees the destruction of the corporation’s data.
The next ITAD business model is the Broker, Refurbisher, and Reseller. These business are working towards providing additional value to their clients by focusing on the ability to remarket and refurbish the entire system in order to receive full market value. Most of these businesses share some value back to their clients in the form of rebates and other forms of payment credits. The cost unknown risk in this model is the sanitization and remarketing of the hard drives. Complete systems and hard drives bring significant value back to the ITAD Company in hard drive and systems sales, however this process is always subject to human error as well as the normal occurrences of residual blocks of data held intact within the un-writable areas within the hard drive, these areas are wide open should platters be relocated to other DASD or other data recovery practices.
Our last example is a security-focused ITAD organization. These organizations normally staff IT professionals and adopt security policies and certifications from outside organizations such as NAID. Outside certification in security practices provides additional oversight to data security procedures as well as the necessary auditing to protect client information.
Security-focused ITAD vendors understand the ability of computer forensics and also carry specialized knowledge in the field. For example, they will know what kind of client data would be on a F5 load balancer. These type of companies have processes in place to assist their clients as soon as their IT systems are taken offline. They also carry the promise and guarantee to physically shred and recycle all hard drives that flow through their facilities. This includes never reselling hard drives.
Corporations need to understand the known risks and unknown risks of the ITAD vendor industry before handing over their valuable information. By carefully weighing the IT experience, industry of origin, and value of security that the vendor incorporates into their policies and procedures, corporations can be certain that their data will be protected only when they trust their vulnerable information to a security-focused ITAD vendor.
The bottom line, it comes down to the vendors experience level and IT knowledge and what they understand as a Known Risk or Unknown Risk.