DDRV Moscow and Warsaw

The UK DDRV recently completed its longest trip to date, a 4,000 mile round trip to Moscow and Warsaw. The trip, organised by Damian Rushworth (CSI UK), was by far the most complex and demanding project ever undertaken by the UK DDRV team. Work permits, visas and specialist customs paperwork were required to enable the projects to go ahead.

Working on behalf of Bob Novelly’s (EPC) customers the DDRV undertook two projects in Moscow for two of EPC’s international clients and one project in Warsaw. The whole trip took over three weeks to complete and both customers were extremely satisfied at the successful conclusion to the projects.

This is the latest of a number of international projects were CSI UK have collaborated successfully with EPC, following on from a DDRV project in Istanbul and numerous onsite data wiping projects throughout Europe.

Special thanks goes to the UK technicians Jevgeny Sapoznikov and Alex Molloy, without whose efforts the projects in Russia and Poland would not have been a success.

CSI LIFECYCLE SERVICES UK ENTERPRISE DATA ERASURE

CSI now have the capability to wipe your server and storage hardware too. In addition to our long established desktop and laptop wiping services we have now added the ability to wipe enterprise hardware too. Using our state of the art hardware coupled with industry leading software we can ensure the safe removal of data from all your IT hardware.

 

portable_image

Utilizing the unlimited erasure version of our flagship Enterprise Data Erasure Software (XErase), our Portable Appliance provides high bandwidth, multi-protocol data sanitization compliant with over a dozen globally recognized erasure standards.

This appliance can connect to as many drives as your physical configuration can support. Erase EMC, NetApp, Hitachi, HP and a host of other storage arrays on-site quickly and easily then generate secure completely customizable Certificates of Erasure that we can present to our customer upon job completion.

  • Direct Storage Array Attachment
  • Technology Refresh
  • End of lease equipment
  • Data Center decommissioning
  • Data Center migration
  • Data Center relocation

Overwriting Standards

  • U.S. Navy Staff Office Publication NAVSO P-5239-26
  • U.S. Air Force System Security Instruction 5020
  • U.S. DoD 5220.22-M
  • Clear, Sanitize, Purge
  • U.S. NIST SP-800-88
  • Clear, Purge
  • British HMG Infosec Standard 5, Enhanced Standard
  • New Zealand NZSIT 402
  • Russian GOST R 50739-95
  • Australian ISM 6.2.92
  • Germany VSITR
  • Canada RCMP TSSIT OPS-II
  • Secure Erase / SSD Sanitize

Contact CSI today to discuss your data erasure needs.

DDRV@CSILCS.CO.UK TEL: 0114 2329208 WWW.CSILCS.CO.UK

Computer Refurbishment Process: CSI Lifecycle UK Ltd.

csi logo

Computer Refurbishment Process:

When purchasing a refurbished laptop or a refurbished pc system which has been refurbished here at CSI, you can feel assured that you are acquiring a reliable, quality product. All systems are thoroughly tested to ensure that they are in full working order and ready for their second lease of life!

For a system to qualify as refurbished, it is subjected to the following processes:

  • Initial check-in, external and internal cleaning of the system
  • Physical examination of the system for faults or defects
  • If a new hard drive is not installed, wipe the previous owner’s hard drive using Blancco the leading approved method for purging all data from the drive.
  • Test all hardware components on the system to ensure that they are in functioning order.  Replace those components which are not. Included components in our testing:

CD Drives, DVD Drives, CD/DVD combination drives, Diskette drives, Hard drives, Network Interface Cards (NICs), Wi-fi controllers, USB controllers, System Memory, Integrated & PCI video cards, Integrated & PCI audio devices, System board

Installation/Upgrade of non-functional or inadequate hardware components

Clean installation of the Microsoft Windows operating system Installation of the latest Microsoft security pack and updates, Installation of antivirus software, Installation of productivity software (e.g. Adobe Acrobat Reader, Microsoft Office, etc.), Final testing of all installed components & software Sysprep of the computer to oobe (out of the box) experience for the end-user, Affix Microsoft refurbished computer COA (certificate of authenticity) to the computer case, Prep the computer for shipping.

The difference between Used and Refurbished:

A used computer system – previously owned and utilised but being sold as seen. With used computer systems, there is no guarantee that the system will have been wiped of the previous owner’s data. As well as this, the hardware will most likely not have been checked to ensure it is in good working order. Finally, the system is not required to include the operating discs and manuals which originally came with it.

Refurbished system – previously owned and utilised but has been wiped of all previous owners’ data and checked to ensure all hardware is in full working order. Processes which he system will usually go through would include: wiping of all data from previous owner, internal cleaning,  testing of all hardware components, potential upgrade of some or all hardware components (for example the hard drive or RAM), installation of the latest Microsoft operating system and most current security updates. Refurbished systems may also come with additional software, for example antivirus programs. As per Microsoft, a refurbished computer is one which is installed with genuine Microsoft software and has a Refurbished Certificate of Authenticity.  In essence, it is a new system, only the parts are older.

MAR Logoblancco gold

Another successful European DDRV trip

Following the opening of the new Lifecycle Centre in Bratislava, Slovakia, CSI Lifecycle Services has further enhanced its European credentials with another continent-wide data destruction tour. During August 2013, one of our Data Destruction Recycling Vehicles (DDRV) travelled through eight different countries to perform multiple onsite hard drive shredding services.

Departing from Sheffield, the DDRV’s journey took it onto the Euro Tunnel and through France, Belgium and Germany before arriving at the Bratislava Lifecycle Centre. While in the Slovakian capital, the DDRV and Lifecycle Centre were featured on the country’s most popular television news programme. Several companies in the financial services industry operating out of Bratislava, including Vienna Insurance Group and Slovenská Sporiteľňa, also had onsite data destruction services provided by the DDRV.

This slideshow requires JavaScript.

After spending a couple of days in Bratislava, the DDRV moved onto Brno in the Czech Republic for more onsite services, as well as more television coverage. This time, the DDRV was the star of the show as one of the largest news programmes on Czech TV filmed footage of the shredding machines in action.

After leaving the Czech Republic, the DDRV then moved into Austria and Switzerland for more data destruction projects before heading back towards the Euro Tunnel. Upon arriving back in the UK, the DDRV had two final projects to carry out for clients in London, before returning to Sheffield after a highly successful trip.

This most recent European DDRV tour underlines the capabilities of CSI Lifecycle Services throughout the continent. Our ability to perform a Europe-wide onsite data destruction service with no outsourcing of projects to third parties makes CSI a highly secure choice for any organisation’s data destruction requirements.

To enquire about having a DDRV visit your site, please visit our website and request a quote: www.csilcs.co.uk/data-destruction

Or alternatively, call us on 0114 232 9214.

Another large NHS fine for improper data destruction

NHS Surrey has become the latest organisation to be fined by the Information Commissioner’s Office for a serious data breach due to “failing to check the destruction of old computers”. Brighton and Sussex University Hospitals NHS Trust were fined £325,000 for a similar offence last year – a topic we wrote about at the time – and NHS Surrey have now been fined £200,000. Since the breach, NHS Surrey has been dissolved with their responsibilities passing to the NHS Commissioning Board who are required to respond to the Monetary Penalty Notice by 22nd July.

There are several key lessons that other NHS bodies – and indeed any organisation which needs to ensure proper security of data – can learn from this story to avoid facing the same punishment:

1. Have a process and stick to it

With such large potential monetary penalties in place for data breaches – the ICO has the power to fine up to £500,000 – having an IT disposal plan can no longer be regarded as an afterthought. A strong written policy is required to ensure that sensitive data like patient medical records are securely handled at the end of the IT equipment lifecycle.

However, just having a policy on its own isn’t enough; it’s vital that procedures are strictly followed, as demonstrated in the case of NHS Surrey. The Monetary Penalty Notice issued by the ICO contains the following text:

“The IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information.”

In consultation with the company selected to carry out the destruction, NHS Surrey’s IT team made the policy clear, but ultimately it wasn’t robust enough to ensure that the final destruction was completed.

2. ‘Free’ is not always free

The notion of ‘free’ IT disposal is not a new concept in the market, and indeed it has received significant press coverage as recently as March this year when an MP promoted the services of a company providing such as service in his constituency. Industry figures reacted to this by claiming that focusing on price when selecting a disposal provider could increase the risk of a data breach. The below extract from the Monetary Penalty Notice outlines how the company providing the service to NHS Surrey sold on the basis of a free solution:

“The company’s Director explained that they could provide this service free of charge because the recycled materials could be re-sold by the company.”

It is important to recognise that in order to provide high level data security services, companies have to invest significant amounts, be it in licensing for government approved data wiping software, or physical equipment to destroy hard drives through degaussing or shredding.

Therefore selecting a IT disposal provider purely on the basis of price, as opposed to level of quality, could result in an NHS organisation not receiving an adequate level of service. While the service NHS Surrey received might have been ‘free’ at point of sale, the cost to them has transpired to be £200,000 – a figure well in excess of the price of a quality IT disposal and data destruction service.

3. Demand proof of destruction

Not only is it important for NHS organisations to have a strong policy relating to data security, but this policy should be written to include evidence of destruction. The Monetary Penalty Notice noted that this was not the case in this instance:

“The disposal process for redundant equipment did not require the IT team to carry out an assessment of the risks of using a data processor to dispose of the hard drives and they did not observe the destruction process.”

Firstly, due diligence should be carried out on a potential service provider, and as part of evaluating the service, NHS organisations should look to see what proof of destruction can be provided by the supplier. By obtaining such evidence and having an associated audit trail, NHS bodies can have full peace of mind in the robustness of their processes.

4. Beware the consequences

As NHS Surrey have found out to their cost – to the tune of £200,000 to be exact – there are severe consequences for organisations who fall foul of the ICO’s warnings on data breaches. Again, referring to the Monetary Penalty Notice, one can see the scale of the breach at NHS Surrey:

“The company did not physically destroy the hard drives resulting in approximately 1570 hard drives containing confidential and sensitive personal data relating to an unknown number of patients and staff being offered for sale via the internet.”

With each hard drive containing potentially thousands of files, this was a significant breach. Not only does it explain the hefty financial penalty, but it could also lead to reputational damage and weaken the public perception of the NHS.

5. Follow the ICO’s advice

On the back of both the Brighton & Sussex University Hospitals NHS Trust and the NHS Surrey fines, the ICO have attempted to clarify how organisations should be operating with regards to disposal of their IT equipment:

“Commissioner would expect the data controller to have carried out a proper risk assessment and chosen a data processor providing sufficient guarantees in a written agreement that the hard drives would be physically destroyed and that destruction certificates containing serial numbers for each individual drive would be provided.”

Since the data breach occured at NHS Surrey, they have re-written their procedures to take the above guidance into account – a strong policy with serial number reporting required is now in place. They have also gone one step further by requesting CCTV footage of the destruction process as an additional layer of evidence.

Conclusion

The key messages for organisations in the NHS to take away are:

  • Have a strong data security policy
  • Do thorough research on any potential providers
  • Do not select a service provider solely on the basis of price
  • Agree a written contract
  • Get proof of destruction in form of serial number reporting and CCTV recording

For more information about the data destruction services provided by CSI Lifecycle Services, please visit our website.

CSI LCS Introduces Data Containment Units

CSI Lifecycle Services is delighted to roll out its new Data Containment Units (DCUs) as an additional services to its regular data destruction customers. A DCU is a lockable unit designed to store old hard drives, tapes, DVDs and other electronic media in a secure location awaiting final destruction. Each DCU can hold approximately 100 hard drives (larger units are available on request) and helps ensure drives are not lost, which could lead to a costly data breach.

One of CSI Lifecycle Services' DCUs.

One of CSI Lifecycle Services’ DCUs.

For customers who opt to take a DCU, CSI Lifecycle Services will arrange regular collections on a monthly or quarterly basis, or as often as is required. Our Data Destruction Recycling Vehicle (DDRV) will arrive onsite and the DCU can be unlocked once loaded onto the vehicle providing a highly secure chain of custody.

Two DCUs on DDRV

Two DCUs being loaded onto CSI Lifecycle Services’ DDRV

If you would be interested in installing a Data Containment Unit on your premises, please get in touch by calling 0114 232 9214, email ddrv@csilcs.co.uk or complete the form below.