We help IT Professionals succeed at work.

Hardware that processes/stores data

I am trying to build a full list of hardware/physical equipment that may store or process corporate data at one time or another. Can you assist?

Obvious ones are hard drives out of workstations and hard drives out of corporate servers. Backup tapes is another. Please can you assist in other types of hardware or physical equipment above and beyond where data may reside or have been processed.

I no it is “corporate specific” but some examples to eliminate would help.
Comment
Watch Question

USB sticks, phones, CD's/DVD's/Blu Ray discs, MP3 players, external hdd drives, sd cards.

Some types of printers can have an impression of what has been printed left behind on the ribbon/film - same with fax machines.

Author

Commented:
Are there any other forms of backup media other than tape where data may reside?

Yes printers drives a good one.
Sajid Shaik MSystem Admin
CERTIFIED EXPERT
Commented:
now a days u can see even network torages, online storage, ftp, etc.
Backups can be made to worm drives (CD or DVD), normal CD's/DVD's/Blu Ray discs or HDD clusters often contained within a server of some sort - either a NAS type drive or and proper storage array.  
A lot will depend on how long you need to keep the data, if you will need to restore from it often, and where it needs to be kept i.e. of site in secure storage.

From my experience most companies still use Tape for audit backups, with a move to HDD for ready access backups.

As pma111 stated above, some companies will simply pipe there backup data to a 3rd party backup provider using FTP.

If your concern is what physical media can hold data then see my comment above.

A lot will depend on how locked down your systems are.  It's very easy now for people to use a smartphone to hold documentation, or be used as a flash drive - either plugged in via USB or connected to wirelessly via Bluetooth or WiFi
Commented:
Some photo copiers can do it.

Commented:
in addition what tricky98 mentioned, keep care of printers they also have huge storage capabilities  e.g. big corp printers up to gigabytes as hardrive storage inside. RAM etc.

Author

Commented:
Do you keep inventories of stuff like external USB's?

So you can ensure they were wiped when they reached end of lifecycle?

My concerns is PC's are normally inventorised, but not so much other stuff. So if auditors come in - how can you prove all external HDD's or USB's were wiped?

Also - aside from disposal - i.e. PC is dead - send it for recycling - what other reasons could there be for media to be sent to 3rd parties?

Thats our issue - keeping a hold on what media and what data goes where. And checking the "where" for their media wiping practices.

Author

Commented:
Is it common  for companies to do a risk assessment before sending your data / hardware to a 3rd party for whatever, i.e. recycling, wiping, processing, troubleshooting? Or a BIA?
Companies should perform risk assessments on data, and who has access to it.

You need to have policies in place to say what can and can't be put onto removable media.

You may need to configure you PCs to restrict access to USB/CD writers.

You can consider encrypting any data put onto removable media.

If the data is very sensitive, perhaps the PC's HDDs should be encrypted - or just laptop drives.

Lots of companies fail to control this correctly, but it will become/has become more of an issue.

People will loose USB sticks, CDs and laptops - therefore what impact would it have if someone else found it?

We work with companies who use becrypt (http://www.becrypt.com) to perform all of the encryption and enforce policies.
We also work with companies who use the standard HP encryption.

Another encryption tool is Truecrypt (http://www.truecrypt.org/) which is an open-source tool.

Commented:
tricky is right but you maybe you should encrypt software where you, as it guy, can reset and recover password, just assuming some user forgots the password or you forgot them to list them properly or user changes the passwort and loses it then...

Author

Commented:
tricky -

>>Companies should perform risk assessments on data, and who has access to it.

Have you a standard template for this?
I don't have a template, but there are some free guides available to help:

Microsoft's Security Risk Management Guide:
http://technet.microsoft.com/en-us/library/cc163143.aspx

It looks like your in the US, so:

NIST:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
US CERT
http://www.us-cert.gov/control_systems/satool.html

Explore More ContentExplore courses, solutions, and other research materials related to this topic.