Friday, March 01, 2013

SOP Friday: Removing Old Information - From Everything

Data Data Everywhere

Everyone is aware that you need to protect data on hard drives, and that you need to totally delete that data when drives are taken out of service. There is a very high probability that you have a standard process within your company for disposing of drives, doing secure wipes, etc.

Make sure that you write down that policy and train your techs.

But wait . . .  there's more.

We put our hands on all kinds of client data all the time. Usually it's electronic and on the client's machines, so we don't really have to do anything with it. But sometimes we end up with information on paper, such as employee names, computers, IP address schemes, etc. Plus all kinds of documentation in paper format.

And, of course, we have lots and lots of client information in our PSA system (that is, in electronic format on our systems).

An earlier article covered the process of cleaning up after a client's employee leaves (see SOP Friday: Client Personnel Changes - Employee Departure Checklist).

Three Kinds of Client Data

In general, you will have client information in three primary places within your possession:

1) Client Files
- With a copy of their contract, important communications, and possibly financial information such as credit card info or cancelled checks.

2) Hardware you've removed from the client
- Such as routers, desktop PCs, laptops, servers. Here we're talking about more than just the hard drives.

3) Internal forms and files that you use to support the client
- This includes New PC checklists, Monthly maintenance checklists, printouts you used to complete a task, copies of old Network Migration Binders, etc.

For Client files, you just need a very short policy statement. It should cover who has access to these files, what goes in the files, and what gets "clean out" from files. Something along these lines:

"Client files will be stored only in the locked file cabinet in _____'s office. All files will be replaced where they belong in the file cabinet when not in use. So, for example, files will not be left out on a desk overnight.

Only _____, _____, and _____ will are authorized to access client files at any time.

Client files will include a copy of the most recent service agreement, any important correspondence, and current credit card information IF it is necessary to maintain CC info AND retaining this information in paper format is approved by the client.

One credit card information is entered into the auto-billing service, it is our policy to shred all copies of this information we possess.

At the end of each calendar year, all client folders are moved to storage in a paper file box labeled with the year. The only information brought forward to the new year is the most recent service agreement."

Hardware is an interesting information item. In a separate article we talked about labeling things. Well ... there's an end-game associated with the habit of labeling everything. If you are super good at creating random passwords and never re-using them, then it doesn't matter if the router has the password taped to the bottom.

But clients tend to be horrible at good passwords. Even if they have a good password, they re-use it all the time. To be honest, I do this a lot too. Those 900 web sites I'm registered on? Yeah. Maybe three passwords covers 895 of them. I'm much more secure with the password for payroll processing.

Anyway, clients follow your example. So you label a machine with it's name and they add a label for the administrator password. You might even label the local admin password on the back of the machine (after all, no one can see this on the Internet).

So when it's time for recycling that machine, you need to make sure you have a policy to scour all devices for labels and remove them. No matter how innocuous the information is, just get in the habit of removing all these labels.

Add that little step to your machine recycling checklist.

Finally, we get to internal forms and files that you use to support the client. On the administration and sales side, you will have client roadmap questionnaires and all kinds of information you might have collected or created regarding sales and configurations.

On the technical side you'll have various client-specific checklists, project papers, etc. We keep a copy of every network migration project forever. We actually have a file cabinet in the tech area with big fat pouch files for each migration project. Naturally, this includes all kinds of information about the client's configuration. That data is probably more important that a credit card number.

That's a unique example of sensitive data on the tech side. For the most part, sensitive client information on the tech side is stored in the PSA. But we do print things out, mark them up, and use them for various things. It is extremely important that everyone be in the habit of treating this information with respect.

In our case, some of this information is stored in the brown file cabinet with the migration projects. For example, we have checklists to make sure that backups are checked daily and that monthly maintenances are completed. These are not particularly sensitive data. Actually, they often simply amount to a list of client names. But that's important data.

So on the tech side, we have processes for filing items in the brown file cabinet. Everything else that has client information is covered by the company-wide policy about handling client data. Our company policy about handling client data is very simple:

"Some client information in paper format is needed by the front office for finances and client management. All such information will be stored in client folders in a locked file cabinet in the office.

Some client information in paper format is used by the sales department. Because virtually off of this information is saved electronically, it is our policy to shred any paper with any information as soon as that paper is no longer needed. If the sales department wishes to keep documents for long-term storage, they should be given to the office manager to store in the client folder.

Some client information is paper format is used by the tech department and stored long term. All such information must be stored in the brown file cabinet, which should be locked at the end of every day.

Other client information that the tech department has in paper format must be shredded as soon as that paper is no longer needed."

I know this sounds like it's a whole layer of hassle on top of what everyone is already doing, but it's not. First, get over the belief that something has to stay around just because someone printed it. Use it and shred it. Everyone. Every department. Every job. Every day.

If you need to keep something to prove that a job was completed, fine. Figure out where it goes and put it there. But be brutally honest (and remember that 99% of the paper you touch will never be looked at again). If you have something that's not in electronic format (such as a printout from the ISP that the client has written passwords on so you can do an email migration), scan it to PDF and put it in the PSA. Then shred the paper.

If you don't want to have a shredder at every desk, that's understandable. Have a centralized shredder or a box for shredding that lives in the office (which is locked at night).

Note on long-term storage: Pick a timeframe and shred those paper file boxes when they get old. For us, all information more than seven years old is shredded. Period. I used to have my daughter do this. Now I take to the UPS store. It costs me about $25/box. But I was paying my daughter $10/hr. I think UPS is cheaper - and I don't have to buy a new shredder every year.

Note on non-paper stuff: You might also have client information in the form of CD, DVDs, tapes, or even hard drives. You need a process for destroying all of these.

Make Data Destruction Fun

A few months ago we had a client who wanted proof that we had destroyed his old firewall, even though that firewall did not contain logs or other sensitive data. It did, after all, have his internal IP address range and the port mappings for his servers. So even though we can nuke it back to factory specs, some CIA-level tools could probably retrieve the old data.

So we made this video to prove to him that we had destroyed his firewall:

Hey, why not have fun since you have to work anyway?

Comments welcome.

- - - - -


Don't miss the second all-new

SMB Online Conference 

100% Small Business I.T. Focused

100% Business and Making Money!

3 Days of Training 15 hours of Content 

Sign up right now for the early bird price of only $199

Find out more

No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!