Every job has its little nuances
that no one else is aware of. Little tricks of the trade, or the thing that no
one outside of the specialism has ever thought of. For most of us, those are
the little stories we love to tell at parties, to impress complete strangers,
just before their eyes glaze over and they make an excuse to escape to the loo.
Most jobs are boring of course.
Most of the time. There are always bits that we enjoy more than others and
sometimes bits that we actively like, but the reality is that most of our lives
are mundane and not worth repeating to anyone. Unfortunately, as the devil is
always in the detail, it is these extremely boring things which can often get
us in the most trouble.
The paperwork trail is a prime
example. I shall exaggerate a little here, but the of two million forms I have
filled out in my long life only about ten percent were ever read, let alone put
to any good use. I am sure I have wasted about a year of my time filling out things
no one else will ever refer to again just to fill a filing cabinet that is
probably still in storage somewhere, waiting for the statute of limitations to
pass by.
The IT recycling sector can drown
you in paperwork. There are certificates and processes and lists and forms that
you can read until your eyes bleed, and do you know what? The vast majority
just get filed away and never see the light of day again.
Why, I hear you ask? Because data
security during asset disposal is all about risk management, and the paperwork
is your defence, milord. The stuff eReco provides for you during the process,
the waste transfer note, the asset list and finally the certificate of data
destruction, are only worth their weight in gold when something goes a bit
wrong. It is then, when Genghis Khan (our friendly neighbourhood Information
Commissioner) is just preparing to torture your first born, that you whip them
out and prove that you did everything right.
Which is why any sane individual
disposing of a data-bearing device would worry about the paperwork and the
little details contained therein. I know I have managed to write over 100 blogs
thus far on this stuff, and I know there are a lot of details, but to simplify
it down to the bare bones what you need to do is cover your backside, if you
are worried about getting a sharp kick at some stage.
Some people do not worry. Many of
those do not appreciate the risks...the £500k fine, the prison
sentence...because either they don’t understand the risks or they take the view
that they are not going to get caught. Now I understand that. It is a bit like
speeding in that regard, the vast majority of times you will get away with it.
I don’t speed as much as I used to, because actually the risks of getting
caught have increased, what with more speed cameras being about, and because I
am more risk adverse these days.
Risk management, therefore, at
least in this case, is about the paperwork. That the paperwork is the proof of
the excellent ethical and data safe job we do is almost by the by. And yet
again the quality of the paperwork is paramount.
For instance, you have a
certificate of data destruction for a list of assets, identified by serial
number don’t you? I do hope you do, because otherwise you are not even on the
first rung of the risk management ladder.
Our certs state the software used (Infosec 5 of course) and will satisfy
Genghis Khan that you have done all you could. The hordes will return to
barracks without your blood on their hands.
But what if the certificates you
have do not say how the data was erased? Or they say a lower level of software
was used? Or one hard drive off your asset list does not appear, because it
went missing somewhere? Genghis will be sharpening the gutting knives...
My party piece revolves around
legal documents spewing out of old printers we mend or what we can recover from
a hard drive after low-level erasure. I thus have few friends and rarely get invited to parties! Doing things properly
costs a bit more. It is actually a bit boring as well. Sometimes we all stop
and read the health and safety legislation for some light relief. But what we
are doing matters.
The stuff in the file is
important, so is what we do to create that paperwork but you never get to see
or file that for posterity. We are battling for a sustainable world where our
personal data remains private. We are eco data warriors!
Put it like that and we are not
so dull after all...
No comments:
Post a Comment