IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New I"ve had to live with these requirements
for the past three months. My initial project was to merge DSS with the corporate security standards, keeping the stricter of the two (Yes, some of the internal requirements are much stricter than PCI). The questions get quite interesting when you start to apply them to a mixed environment of mainframe, Unix, Linux, and Windows.

The questions about residual data on these drives is something that had been given only cursory investigation. PCI has force us to re-examine this issue.

The cost of destroying the drives exceeds the penalty for non-compliance. The cost to brand would be huge if there was a privacy leak.

Should we be destroying the drives? Maybe. As with every security issue it comes down to cost vs risk. My job is to report on risks and possible solutions. I do like Crazy's suggestion about setting up a workstation to scrub the disks before EMC takes them - if we are contractually allowed to remove the drives. I will also recommend that the EMC contract be reviewed to see if they are required to scrub the drives prior to reuse, and if they are not, see if we have the necessary language added.

And fwiw, we have other data storage vendors also. I just happened to start the discussion with the EMC group. It will only get uglier!
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
New There is a certain point... that enough non-compliance...
will cause de-certification.

That would be BAD.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
     Data recovery on Striped drives - (jbrabeck) - (19)
         Any recovery would be pretty unlikely - (Andrew Grygus)
         You may be Ok, but not guaranteed safe. - (Another Scott)
         can useful information be pulled and re-assembled by block? - (boxley)
         Depends on chunk size and what you are hiding - (crazy)
         Thanks for all the replys, let's add clarification - (jbrabeck) - (14)
             Move the risk? - (pwhysall) - (10)
                 That will be one of my suggestions. -NT - (jbrabeck)
                 Bulk Erase Tape Demanetizer. - (folkert) - (8)
                     Can't use it if they expect to reuse the hard disk - (crazy) - (7)
                         That doesn't matter, if the disk has sensitive info. - (folkert) - (6)
                             Sigh - (crazy) - (5)
                                 If its PCI, its gotta be done. - (folkert) - (4)
                                     I"ve had to live with these requirements - (jbrabeck) - (1)
                                         There is a certain point... that enough non-compliance... - (folkert)
                                     I've done PCI before - (crazy) - (1)
                                         Well, we're definitely not a small merchant - (jbrabeck)
             that SHOULD be covered in your contract with EMC -NT - (boxley)
             What Peter and Box said. - (static)
             Like others said, but, that's pure political - (crazy)

Only the Shamwow guy could have done it better.
37 ms