Device Identification , Endpoint Security , Government
Auditors Uncover Lax FBI Hard Drive Disposal Practices
Hard Drives Slated For Destruction Kept in Open Cardboard BoxesThe FBI had a loose hard disk disposal problem that auditors say put classified information at risk.
See Also: Live Webinar | Endpoint Security: Defending Today's Workforce Against Cyber Threats
U.S. Department of Justice auditors in Wednesday report said an in-person review of the facility the FBI uses to destroy old hard drives uncovered problems including lax physical security and cardboard boxes filled with unlabeled hard drives.
The bureau, auditors said, has a tracking system for obsolete computers and servers earmarked for destruction - but not for storage media extracted from the computer chassis. FBI staff routinely remove electronic storage media from computers that contained Top Secret information in a measure meant to keep shipping costs down.
Law enforcement officials told auditors they haven't tracked individual hard drives, since it's bureau policy to degauss hard drives once they've been removed. "However, the FBI confirmed that not all hard drives, particularly hard drives extracted by local FBI field office IT specialists and shipped from field offices, are being handled in accordance with this best practice."
Auditors also spotted boxes of hard drives set for destruction in open boxes. A facility staffer told auditors that the boxes could stay open for days, "or even weeks," until there were enough obsolete drives to fill the box. The devices' actual shredding could take up to 21 months, because the bureau gave the destruction of untracked assets a lower priority.
The facility where electronic equipment destruction takes place is a warehouse to which nearly 400 people have access, including other bureau employees or contractors dedicated to logistics and mail. Auditors said there was no physical barrier between the destruction area of the warehouse and other areas. Staffers never used a metal roll-down overhead door to seal off their workspace. A camera suspended near the roll-down door was "non-functioning" and the work area in other places lacked camera coverage.
In response to the audit, bureau officials began tracking extracted hard drives and implemented better physical security, including the installation of locked metal cages to store loose media while it awaits destruction.