Asset Management is one of the foundations of a sound Information Security Program, but it is also often neglected in the rush to replace or decommission systems. Every IT Manager has been through system migrations that resulted in piles of legacy equipment that needed to be quickly eliminated.
The quickest way to eliminate the equipment is often to contact vendors to come and remove the systems. But these systems can come back to haunt an organization that does not properly vet the vendor and ensure that the data on those systems has been completely destroyed. Morgan Stanley has recently experienced a series of events that illustrate this.
Morgan Stanley was fined $60 Million by the OCC for asset management errors it made in 2016 and 2019 while decommissioning data centers and servers. Additionally, Morgan Stanley is now being hit by a class action lawsuit related to the incidents. In both of the incidents, Morgan Stanley has seen no evidence that data from the servers was in fact accessed by an unauthorized party.
In 2016, Morgan Stanley hired a vendor to remove data from decommissioned equipment following the closure of two data centers. They later found that the vendor had failed to completely wipe unencrypted data from the systems, and the equipment was missing.
In 2019, Morgan Stanley removed servers from some branches, believing that the data on the servers was encrypted. They later found that a software flaw had left the data unencrypted, and that again the servers were missing.
There are some lessons to be learned from the Morgan Stanley incidents:
If your institution needs help with asset management or other policies, we're here to help! Email us at support@bedelsecurity.com or call us any time at 833-297-7681.
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Lessons from the First American Financial Corporation Breach
https://www.bedelsecurity.com/blog/lessons-from-the-first-american-financial-corporation-breach
CISA's Ransomware Guide Takeaways
https://www.bedelsecurity.com/blog/cisas-ransomware-guide-takeaways
Recent Information Security Projects and Key Takeaways that You Can Use
https://www.bedelsecurity.com/blog/recent-information-security-projects-key-takeaways-can-use