Presentation is loading. Please wait.

Presentation is loading. Please wait.

State of New Jersey Office of the State Comptroller Disposition of Excess and Surplus Computer Equipment.

Published byJesus Mooney Modified over 10 years ago

Similar presentations

Presentation on theme: "State of New Jersey Office of the State Comptroller Disposition of Excess and Surplus Computer Equipment."— Presentation transcript:

1 State of New Jersey Office of the State Comptroller Disposition of Excess and Surplus Computer Equipment

2 – The Division of Purchase and Property (DPP) in the Department of Treasury is responsible for, among other things, the coordination and redistribution of computer equipment within state government. – All state departments, send DPP their surplus computer equipment. – Operations performed by Division of Property Management and Construction because they operate the warehouse. Background

3 – If equipment cannot be redistributed, it is sold at auction as scrap. Unless valuable equipment is identified, the equipment is sold in lots of 24 pallets of mixed equipment. – Data removal is the responsibility of agencies sending equipment, but in the past, Treasury personnel had become aware of instances of equipment containing data passing through the surplus process. Background

4 Pallets Ready For Auction

5 Data Issues – Policy requires degaussing of hard drives. Degaussing involves exposing electronically stored data to a magnetic field, effectively scrambling the bits on the drive, making the data useless. Degaussing, while effective, does not allow the State to redistribute some equipment efficiently. – The State data protection procedures put data protection in the hands of data owners.

6 Audit Procedures – Utilized non-statistical sampling method. – Checked computers at various stages: Arriving from an agency On the warehouse floor Disassembled loose hard drives Computers packaged for sale

7 Audit Procedures, contd. – Equipment was retrieved over multiple weeks, on different days, to help prevent observation bias. Checked 103 computers and found 39 drives. Pulled 19 loose hard drives for a total of 58 drives. Sample still limited by agencies inventory cycles.

8 One pallet, half disassembled

9 Limitations – Limited testing to desktop and laptop PCs. Also tested smart phones, but encryption prevented further examination. – Did not test servers, copy machines or other products. Lack of available expertise and news reports about the problems with copy machines also made this a well- known problem.

10 What we looked for – Connected drives as external media using a drive kit to a Windows XP machine. – First reviewed common file locations, such as My Documents. – Then searched for commonly used productivity software extensions: DOC, DOCX XLS, XLSX PDF ZIP, RAR Various common database extensions.

11 Data Classifications – NJs data classification is defined into four categories: Personal (Highest, covered by other privacy laws, SSNs, HIPAA information) Confidential (Sensitive information not available through public records requests) Secure (non-public information that would normally be accessible through a public records request) Public (Publicly available information) Also noted non-business data, such as users personal or incidental files.

12 Technical Method -Due to the cost of forensic software, consulted with NJ State Police computer crimes unit to find an alternative. -Utilized File Scavenger, a commercially available program ($50), to search drives. -Connected as external hard drives to Windows XP machine.

13 Second Pass – To ensure that Personal and/or Confidential data did not exist, we ran the data recovery tool. – Objective was to locate deleted files. Remember, a deleted file is not really deleted. – Two modes for search: Quick scan- few minutes – could recover recently deleted files. Deep scan- hour+ - if files could not be recovered using Quick scan method.

14 Findings -46/58 drives (79%) had data (not degaussed). -37/58 drives had data that was business-related. -13 drives had personal and 5 had confidential data.

15 In depth review of 5 drives -One drive contained over two hundred files from State investigative case screenings for child abuse, endangerment and neglect. Files had child immunization records, a health evaluation; many had names and addresses of children. -Another had been used by a higher-level official, and contained internal memoranda, internal briefings for a State cabinet level officer, work plans for individual staff and the personal contact information for several State cabinet-level officers. -One contained an Outlook email archive that included login credentials for multiple users computers and personnel reviews containing SSNs.

16 In depth review of 5 drives, contd. -Still another had vendor payments for children placed outside of the home by a department, with names, addresses and phone numbers, along with case information. -Personal life insurance trust agreement, three years of tax returns, a final mortgage payment letter including the address of the property and account number; the individuals Social Security number; a confidential fax concerning an employee personal emotional problems; and memoranda concerning potential attorney impropriety.

17 Agency Responses -One agency had degaussing equipment but staff would not use it because of noise and magnetic fields. -Another stated the person responsible for the sending of drives was no longer employed with the agency

18 Agency Responses, Contd. -Treasury suspended auction sales based on our findings, and temporarily did not accept storage media of any kind. -Agencies must certify the removal of all storage media for a shipment to be accepted. -One of the agencies had also been previously identified by treasury as a sender of confidential data.

19 Prescribed Equipment Controls -Computer disposal process criteria well laid out -Agency declares equipment surplus. -List is distributed to eligible State agencies, with detailed information about the equipment. -If the equipment can be reused, it should be transferred. -If it reaches the Warehouse, it is held and some good equipment is made available to local government and non-profits through a formal offering at regular intervals. -Non-usable equipment is to be sold at public auction.

20 Actual procedure -We observed that: Equipment would sometimes be sent without notice. Agencies were informed based on known need, there was no formal list of people looking for equipment. One person was responsible for all equipment controls and reporting. Equipment was not held for the required period.

21 Actual Procedure, Contd. Usable equipment was sometimes sold due to a lack of floor space. Some departments were taking equipment, while other departments were more often dropping off. While a guard and camera existed, we observed some State employees not signing in and pulling straight to the warehouse loading dock for equipment.

22 Equipment on the Floor

23 Equipment Control Review -Reviewed documentation for 11 shipments, 2 did not have any packing list or inventory, and none were certified of data removal. -A check of equipment serial numbers against vendor warranty website indicated that four computers were still under warranty when they were on a pallet waiting to be sold.

24 Equipment Control Review, Contd. -Equipment was transferred to local government agencies and non-profits through the same procedure used for State agencies. 2,000 various items had been redistributed this way items over 15 months. 900 cellular telephones were supplied to a non-profit after being specifically held for them. Agencies had not been notified of availability. -Agencies outside State government had not been informed of available equipment through the proscribed procedure since 2008. -No cost-benefit analysis.

25 Outcome – State of New Jersey no longer selling drives with data, preventing the risk of a future data breach through this channel – NJ State Legislature passes Public Law 2011, Chapter 225, revising the procedure for data protection in the disposal process Expands definition of equipment to be protected to include portable communication devices. Empowers Director of Purchase and Property to set standards for redistribution of equipment, including usability and the amount of time equipment should be held. Codifies supervision and controls over inventory of surplus computers.

Download ppt "State of New Jersey Office of the State Comptroller Disposition of Excess and Surplus Computer Equipment."

Similar presentations

The Electronic Office & The Internet Chapters 22 & 26 Information Systems for You.

The Electronic Office & The Internet Chapters 22 & 26 Information Systems for You.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
HIPAA Security.

HIPAA Security.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Maintaining Security While Using Computers What all of Our Computer Users Need to Know.

Maintaining Security While Using Computers What all of Our Computer Users Need to Know.
Michelle Ross Sheila Hensley January 2015.

Michelle Ross Sheila Hensley January 2015.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.

Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Property Management Overview

Property Management Overview
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Investigation Myths and Facts November 29, 2011 IOT Security: Caroline Drum Bradley.

Investigation Myths and Facts November 29, 2011 IOT Security: Caroline Drum Bradley.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Session V Records Management Process Development

Session V Records Management Process Development

Similar presentations

Ads by Google