The unrelenting hunt for DBDs as part of the IT asset disposition process is a critical first step in data security and compliance
Data bearing device (also called DBD) and data bearing asset (DBA) are broad terms covering any storage device capable of storing customer or proprietary company data. Often used interchangeably, some common examples include:
- Hard Disk Drives
- Solid State Drives
- Cell phones
- Computers
For IT Asset Managers and others concerned about data tracking and disposition, locating DBDs that are less common can be a real challenge: How do you sanitize or destroy sensitive data on data bearing devices if they are not documented, tracked or discovered?
Types of data bearing devices
Due to their size, hard disk drives (HDDs) are typically the easiest data bearing devices to find. Solid state drives (SSDs), because of their smaller form factors and various sizes, can get a little trickier. Most commonly known and recognized DBDs are
- CDs
- Magnetic tapes
- Hard Disk Drives (HDDs) – external or internal
- Solid State Drives (SSDs) – external or internal
- Cell phones
- Laptops
- Tablets
- Floppy disks
- Scanners
- USB drives
- SD/Compact flash cards
- USB drives
- Motherboards with embedded storage
- PCIe SSD cards
- IO accelerator cards (type of optimized SSD)
- NVDIMM (Non-Volatile Dual In-line Memory Module)
- HSM cards
Server equipment is the “wild west” in the hunt for data storage. In addition to the drives, you will find HDDs, SSDs, M.2 and SATADOMs in the front, back, internal, onboard and in the chassis itself.
- Servers
- Storage arrays
- Tape Silos
- Blade chassis/servers
IT assets that require a factory reset to remove IP addresses and other network identifiers and may also include additional data storage
- Universal routers
- Switches
- Firewalls
- Secure remote access modules (“infrastructure managers”)
- Network devices
Common office equipment that may be considered benign or dumb (but frequently include integrated data storage):
- Printers
- Copiers
- Kiosks (includes self-checkouts, vending machines, price check machines, ticket booths, payment machines, POS, ID and insurance verification stands)
- Smart docking stations
- DVRs
- Security camera controllers
Proper lifecycle disposition of data bearing devices and assets
In addition to a scrupulous process for identifying data bearing devices and disposition, it is your responsibility to understand the compliance needs and risk factors across your organization and how to apply data destruction processes.
Whether you rely on a third-party to advise you or not, forget about the outdated DOD standard and “number of passes”. Instead, fully understand the NIST 800-88 Rev 1 data sanitization standard and how and when to apply the Clear, Purge and Destroy processes. As a result, whether you are shredding, wiping or degaussing, you will be able to develop, test, follow and update/revise all IT asset disposition processes by IT asset. Finally, require all third-party providers to follow your end-to-end process with supporting documentation as well.
The risk that stakeholders can add to DBD and DBA data destruction practices
Understanding the compliance and risk framework for data destruction compliance is critical. We advise our ITAD partners to work with their clients to identify and actively include organizational stakeholders that should understand the value, risks and repercussions of non-compliance as part of your IT asset lifecycle.
Depending on your organization, a wide swathe of departments including IT, security, procurement, risk management, ITAD, IT asset management, finance, legal/compliance and even community outreach, PR and marketing that may be working on corporate governance (CG) or ESG programming may affect data destruction outcomes. Clear, published policies and educational programs can improve the awareness and risk of DBDs and DBAs to safeguard company data.
RELATED: What happens when you skip the visual hunt for DBDs >
Data bearing devices that are shipped add risk
Whether your IT assets are earmarked for resale, refurbishment, lease return, warehouse, redeployment, donation or the graveyard, avoid letting data travel. Your IT disposition process including physical IT asset inspections for DBDs and data destruction should be completed before IT packing and logistics. If it absolutely must travel with data, develop a secure IT logistics process that includes full chain of custody documentation.
Ask for expert DBD/DBA guidance
Your data destruction provider serves as the final layer of data protection, so it’s crucial to work closely with your ITAD, VAR or MSP to understand and implement any additional protection layers they can offer, such as onsite physical audits of your assets to find data bearing devices.
Demand that your third party vendors possess and provide adequate superior knowledge, skills and processes to protect your private and confidential data. They should be able to work with you to develop a process of inspecting all IT assets before they leave the premises for all types of obvious, hidden-in-plain site and deeply buried data bearing assets that hide genuine risk. Their mission and deliverables should focus on protecting your company from removing residual data as part of EOL IT asset disposition practices. Guardian Data Destruction partners with ITADs, VARs, MSPs and IT resellers to support their customers who demand a gold standard of data compliance and destruction. We provide best practices in data destruction (shredding, erasure, degaussing), white glove IT asset packing and secure logistics or enterprise and data center services.
Read next
- Understanding the data compliance risk of smart docking stations >
- Perception vs reality in the physical search for DBD (a guide) >
- Browse Guardian Data Destruction’s services (available through ITADs, VARs, MSPs) >
- How data walks out facilities on unknown, undocumented data storage >
Sign up for email updates to receive the latest in data security options from Guardian Data Destruction >
