NYS Division of Housing and Community Renewal not always wiping data before selling devices as surplus – Audit

While the NYS Department of State got a clean bill of health on their disposal of devices, the NYS Division of Housing and Community Renewal did not fare as well in an audit of its inventory and disposal procedures.  An audit by the NYS Office of the State Comptroller, released on June 25, reports:

Division of Housing and Community Renewal
Disposal of Electronic Devices (Issued 06/25/13)

To determine if surplus electronic devices approved for sale by New York State Division of Housing and Community Renewal (Division) are permanently cleaned of all data, including personal, private and sensitive information (PPSI). The audit covers the period of June 1, 2012 through March 13, 2013.

New York State Policy requires all State entities to establish formal procedures to address the risk that personal, private or sensitive information may be improperly disclosed. One way information can be compromised is through careless disposal of electronic devices. Agencies may dispose of electronic devices on their own; however the Office of General Services (OGS) provides this service for many State agencies, including the Division. Agencies are required to remove all information prior to disposal and, if sending them to OGS, to certify in writing that the devices no longer contain any retrievable information.

Key Findings

  • We tested a total of 752 electronic devices at both the Albany and the New York City offices. In Albany, two devices still contained general agency information and personal pictures, but none contained PPSI. In New York City, 13 hard drives showed indications that they still contained data. We did not forensically examine their content due to technical issues that made it impractical to apply modern forensic software tools against their older technology. Instead, we returned these drives to Division staff so they could be properly wiped of data.
  • We were unable to locate 17 computer hard drives that had already been removed from computers and were scheduled for shredding. The Division has no record of what information may have been on these missing drives and it is unclear whether they have been stolen, reused or simply misplaced.
  • We also could not locate 18 servers listed on the inventory records. Subsequently, the Division provided documentation showing it had sold 24 servers about 18 months earlier. However, the documentation did not include asset numbers and, therefore, provided only limited assurance that these were the same devices still listed on the inventory records.
  • We also could not locate eight other devices listed on inventory records and found one device recorded as surplus that was actually still in use.

Key Recommendations

  • Implement the Office of General Services’ recently released policy and procedure for removing memory components from surplus electronic devices.
  • Reinforce policies and procedures over the asset management system so that accurate records are maintained and assets are safeguarded, including periodic physical inventories to ensure the accuracy of records and assets are safeguarded.

Link to full audit report (2012-S-101)

Other Related Audits/Reports of Interest

Office of General Services: Disposal of Electronic Devices (2012-S-4)

About the author: Dissent

Comments are closed.