I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets. With each of these situations, the question boiled down to the same underlying issue: non-removable storage. “It depends” has been my standard response, as there are many key factors to accurately framing the response. Organizational policies which defines their risk appetite and/or external regulations typically characterize what can be done.
The organization’s policies and general risk appetite are the first place to look for guidance. Media sanitization policies may reference how to handle a situation where a device begins to fail.
One of the people who asked this question works within a small financial services/tax preparation organization. About 10 years ago, the organization had invested in one of the big four audit firms to review their operations which resulted in several policies being written and procedure changes. One of these policies stated that “hard drives, thumb drives, and other forms of digital media must be removed and destroyed prior to desktop or laptops leaving the organization.” This made perfect sense at the time due to how much sensitive PII was being processed each year and the types of issues were being reported in the mass media at the time. That organization framed their policy around the idea that drives would be removed from desktops and laptops at the end of their useful life span as they had no risk appetite for showing up in the news. But, that policy had not been updated to fit the changing world in the past decade, or really consider what to do with warranty services.
The classification of data which was being stored/processed on the device can direct one to device sanitization guidelines. Regulations around this activity can also detail what can be done.
Another colleague broached a question about how best perform a warranty repair on a Microsoft Surface. Their organization utilizes a 4-layer data classification standard where the top levels of restricted data must follow NIST controls. NIST 800-171 Control 3.7.3 has a control statement of “Ensure equipment removed for off-site maintenance is sanitized of any CUI.” Further, control 3.8.3 states “Sanitize or destroy information system media containing CUI before disposal or release for reuse.” Similar language exists in NIST 800-53, HIPAA, and other similar frameworks.
We spent a few hours talking through this situation and developed a flow chart that seems to work based on their local policies and risk appetite. AND it accounts for the type of data being stored/processed on that asset.
If the storage is removable, then remove it prior to sending to warranty repair.
If the storage is non-removable and the system is operational, utilize one of several NIST compliant tools/techniques to wipe out any sensitive data.
If the storage is non-removable and the system is non-functional, then base next steps on data classification.
Public data classification would be acceptable risk for the organization to send off to be repaired.
The higher level classifications would require multiple tasks such as communication to the CTO/CISO/Risk Management team about the failed asset, validating that a BAA is in place with the repair vendor (for HIPAA), and working through hurdles of ensuring that the damaged device was transported to the repair vendor and return was tracked.
In these discussions, the organization might choose to fully replace the device rather than take the risk of sending off for repair based on the reputational risks. This could create an un-intended consequence depending on budget model of the organization. Depending on which budget take the hit for replacing the asset, low-level managers may improperly attest an asset as being “public” data or otherwise hide repairs rather than replacing outright.
In these scenarios, much of the discussions related to risk. How do we avoid the risk, transfer the risk to others, or at least mitigate the risk to some degree. It would be no surprise to anyone that the world changed significantly in the past year. Among those changes included the pure number of laptops, tablets, and similar assets that were deployed in most organizations for the suddenly remote work force.
Due to the changes, we all need to be carefully looking over our policies and having discussions with internal audit, IT leadership, information security, and risk management teams about warranty repairs for our individual organizations. What are you all seeing in your industries or organizations with how to handle warranty repairs?
Scott Fendley ISC Handler
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)