Asset Management is one of the foundations of a sound Information Security Program, but it is also often neglected in the rush to replace or decommission systems. Every IT Manager has been through system migrations that resulted in piles of legacy equipment that needed to be quickly eliminated.
The quickest way to eliminate the equipment is often to contact vendors to come and remove the systems. But these systems can come back to haunt an organization that does not properly vet the vendor and ensure that the data on those systems has been completely destroyed. Morgan Stanley has recently experienced a series of events that illustrate this.
Morgan Stanley was fined $60 Million by the OCC for asset management errors it made in 2016 and 2019 while decommissioning data centers and servers. Additionally, Morgan Stanley is now being hit by a class action lawsuit related to the incidents. In both of the incidents, Morgan Stanley has seen no evidence that data from the servers was in fact accessed by an unauthorized party.
In 2016, Morgan Stanley hired a vendor to remove data from decommissioned equipment following the closure of two data centers. They later found that the vendor had failed to completely wipe unencrypted data from the systems, and the equipment was missing.
In 2019, Morgan Stanley removed servers from some branches, believing that the data on the servers was encrypted. They later found that a software flaw had left the data unencrypted, and that again the servers were missing.
There are some lessons to be learned from the Morgan Stanley incidents:
- Institutions should have an inventory of systems that is up to date and tracks the systems from purchase through disposal. Records of system disposal should be maintained for a period of time that is dictated by a policy and in accordance with any local laws. The records should also identify what types of data were stored on the devices when they were active.
- Vendors that are hired to assist in the disposal of equipment and who will have access to sensitive data must be vetted to ensure they perform their duties properly. Consider performing a site visit of the vendor to ensure that the facility is secure, that systems are quickly cleansed, and that they have a good process in place to manage the cleansing and disposal process.
- Consider removing any storage devices from systems prior to disposal and bringing a company on-site to shred the storage devices under supervision of institution staff. This will ensure that the storage is irretrievably destroyed and will allow the institution to dispose of the remaining hardware that does not include storage without the risk that data will be lost.
- While the Morgan Stanley situation involved internal servers, remember that the institution is still responsible for securing data that is housed by vendors also. Make sure that disposal practices of vendors who house sensitive data are reviewed as part of the vendor due diligence process.
If your institution needs help with asset management or other policies, we're here to help! Email us at support@bedelsecurity.com or call us any time at 833-297-7681.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Lessons from the First American Financial Corporation Breach
https://www.bedelsecurity.com/blog/lessons-from-the-first-american-financial-corporation-breach
CISA's Ransomware Guide Takeaways
https://www.bedelsecurity.com/blog/cisas-ransomware-guide-takeaways
Recent Information Security Projects and Key Takeaways that You Can Use
https://www.bedelsecurity.com/blog/recent-information-security-projects-key-takeaways-can-use