Electronic Media Disposal
Background
In 2015, the U.S. Postal Service Information Technology (IT) group supported and maintained over 145,000 desktop computers, 23,000 notebooks, and 81,000 printers. These IT electronic media retain data on their hard drives, random access memory, and read-only memory, which should be removed before disposal. The disposal contractor repurposes, resells, or physically destroys the obsolete IT electronic media. Over the last 5 years, the contractor sanitized an average of 40,490 pieces of IT electronic media per year.
An effective electronic media disposal process includes tracking, securing, and sanitizing media. Media sanitization is a process where data is removed from media or the media is permanently destroyed. These steps are critical for protecting sensitive data against unauthorized disclosure.
Employees who are accountable for IT electronic media that is no longer useful identify it for disposal. To do this, they complete disposal forms and the media is shipped to the Material Distribution Center (MDC) for disposal.
IT electronic media can be mailed directly to the MDC or shipped in larger quantities via the Postal Service transportation network. The media is stored in two leased buildings adjacent to the MDC. MDC personnel notify the disposal contractor when a trailer load of media and other equipment is available for sanitization and disposal. The contractor retrieves and processes the media and documents all incoming electronic media items to be resold or destroyed. Finally, the contractor reports to the Postal Service that the media was sanitized.
Two groups in Asset Management are responsible for portions of the IT electronic media disposal process — the Asset Accountability group has primary responsibility for overseeing disposal, and the MDC group collects obsolete electronic media approved for disposal from all Postal Service facilities and coordinates with the contractor.
Our objective was to determine the effectiveness of the IT electronic media disposal process.
What the OIG Found
We found that management did not have an effective disposal process for IT electronic media. The Asset Management and IT groups did not effectively track electronic media from the time of disposal by a Postal Service facility until the contractor completed sanitization. For example, the Asset Management and IT groups did not confirm that all IT electronic media identified for disposal at Postal Service facilities had been sanitized. According to information provided by the disposal contractor, between September 2010 and February 2016, over 203,000 pieces of IT electronic media were sanitized; however, management cannot verify that this is the same amount of IT electronic media that was sent to the contractor to be sanitized. In addition, management did not have controls to provide positive identification of individuals entering buildings where electronic media is stored. It lacked a badge access system and security cameras for the two leased buildings.
The Asset Management and IT groups did not have a clearly defined policy requiring the tracking and reconciliation of disposed IT electronic media. In addition, the manager of Asset Management stated that obtaining a badge access system and security cameras for the two leased buildings was not considered previously because building access was originally limited to a few employees.
Finally, the Asset Accountability group did not verify that the disposal contractor is sanitizing all of the IT electronic media according to contract terms. In February 2016, the Asset Accountability group started verifying the sanitization process with the disposal contractor during a site visit; and also planned two additional visits.
What the OIG Recommended
We recommended management review and update policy and implement procedures for tracking and reconciling the IT electronic media from disposal to sanitization. In addition, Asset Management should obtain a badge access system and security cameras for the two leased buildings, and enact a policy and implement procedures that require management to conduct periodic reviews of the disposal contractor’s sanitization process.