CUNA Mutual Group issued a risk alert this week warning that an often-overlooked avenue for losing data can occur when credit unions don’t properly sanitize IT equipment before repurposing, recycling or retiring it.

During risk consultations, CUNA Mutual Group found that it is “somewhat common” that some credit unions do not have formal written policies or procedures in place, or even know if those policies or procedures are consistently followed when sanitizing and destroying equipment that is no longer being used. This can open the door for data to be inappropriately accessed, the risk alert stated.

As part of a credit union’s internal controls, a formal written policy/procedure should be in place for handling equipment at the end of its useful life. Credit unions can minimize risks by developing and enforcing a destruction/sanitization program for decommissioned computer equipment.

According to the risk alert, the program should consider the following mitigation tips:

• Identify the types of computer equipment that are subject to the program.
• Secure decommissioned equipment and limit access to authorized employees until destruction/sanitization is complete.
• Develop procedures for the destruction/sanitization of decommissioned computer equipment.
• Use appropriate procedures for the destruction/sanitization of decommissioned computer equipment.
• Maintain an inventory log of decommissioned equipment, including the time and date of destruction/sanitization, method used and final disposition.
• Set a time period for how long it should take for the sanitization of the equipment once it has reached its end of life.
• Perform proper due diligence on the third party if the sanitization is outsourced.
• Determine if any equipment designated for sanitization and destruction was utilized in setting up a remote office and if so, make sure to properly log it and return it to this area when it is returned.

CUNA Mutual Group’s risk alerts may be accessed on their Protection Resource Center. Log-in is required.