PODCAST TRANSCRIPT:

Data Security and Data Sanitization is such an important part of the R2 certification process that it is a mandatory annual internal audit.  Today, I’ll be interviewing SERI’s Executive Director, Corey Dehmey on this episode of Ask the R2 Guru. I’m  RG from SERI – Champions of Electronics Sustainability.

Corey Dehmey has spent more than 20 years in the electronics industry, and his diverse background touches nearly the entire electronics lifecycle, including having worked in IT support, ITAD, data destruction, reverse logistics, reuse, and recycling.  It’s this wide range of experience that gives Corey a broad view of the electronics sustainability challenge, and it’s what led him to his role of Executive Director of SERI.  When we were discussing who should be a guest to talk about internal audits for Data Security and Sanitization, Corey was the perfect choice. We will let him tell you more about his background as we begin our interview.

*********

Roger Greive:  Corey, thanks for joining us for this episode of Ask the R2 Guru. Let’s start with you talking a little bit about your background, how it relates to this topic of data security and sanitization internal audits.

Corey Dehmey:  Hi, Roger. Thanks for having me.  So my background actually is in IT… I went to college for IT … I have a Bachelor’s in Computer Information Systems and I’ve worked for 12 years in the IT industry, doing Systems Administration desktop support.  So I come out a lot of this from more of a technical angle. Part of my history was also having to figure out how to do data sanitization for the Department of the Navy.  So all those references to DoD 5220.22-M — that’s that’s where I lived and breathed for a few years there.  So yeah, my background is in IT and Data Security, and that’s what I’ve been working through in this reverse logistics/returns/ recycling industry.

RG:  You’re pretty well established at this, so what have you seen is the main changes in data security over the time you’ve been looking at it?

CD:  People have gotten much smarter, and data has gotten bigger… more storage… more data… more distributed.  And one of the biggest things is just the number of smart devices. So the last ten years have been spent connecting people, connecting devices and now we’re into that smart world where more and more types of devices are integrating data and technology.  Like connecting through your TV now, which used to be kind of a dumb device and now it’s a smart TV. So those are the biggest changes I’ve seen in data security.

And then, people recognizing where data is stored. Remember a day where we watched a pallet of TVs come off the back of a truck at a recycling facility and the back cover was off and there was a shiny hard drive in the back of the TV.  And that was the first time I realized that our TVs now have data storage capabilities. So I think those are the biggest changes, as well as the legislation now coming in.  For instance, GDPR, and similar legislation in some states in the U.S., really focused on the data privacy of individuals.  That’s really important and an important reason why we need to be more cognizant of data on all these devices.

RG: So Corey, what do you see is the main issues or challenges facing R2 facilities about to do a data security/ sanitization internal audit?

CD:   I think we need to recognize that this is a really complex topic, very technical in nature.  Coming at it from my background with technology, it’s even complex for me to understand all the nuances in data sanitization.   So I think we have to come at this with an appreciation that there’s a lot to know — an appreciation that as the world turns and new devices are coming out, devices are getting smarter.  There are many factors involved here, so we really need technical competency within our facilities to really understand the challenges here. This is not as simple as just a shredding a hard drive. It’s not as simple as just even wiping a hard drive now with SSDs, with other types of storage, encryption, unencrypted files, chain of custody.  We talk about the records, the accountability, the traceability throughout that process.  There are so many factors here, and I think we really need to keep it top in mind that this is a really complex problem. We need to apply the right resources to it — and they may not be the traditional resources were used to.   And we need to really put this at the forefront because that’s what’s most important to the customers that we talk to.

RG:  You had a big part of writing the previous version of the standard, R2:2013, and working with the TAC on developing it into the standard that was used for many years. What did you see were the challenges with that version, as it stood for its time and in the industry regarding data sanitization?

CD:   With that version, you know, the intent was not to really be the expert on data sanitization because there were other standards out there, like NIST 800-88 for example, which is good and fine.  But the challenge that we saw in implementation and auditing is whenever something else is referenced, it’s not necessarily audited very well, or it’s not necessarily implemented very well.  So NIST 800-88 is great, and has a lot of good victim information in it. But we saw people just go right to Appendix A – what’s the purge command for different devices?   Which is good, but they forgot all the security controls that are specified in NIST 800-88 to control the product and have that chain of custody throughout the process.

I think the challenge with the R2:2013 version was just all the data security being buried in this reference to NIST 800-88.  And I think that was the opportunity in R2V3 and why R2V3 is so much more specific around data security and data sanitization.  It’s so that we bring all those requirements to the forefront because they’re so important.  And that we make sure that those requirements are audited specifically, and that the auditor has the opportunity to write a nonconformance against the specific requirements that should be considered part of any data security and data sanitization operation.

RG: So, we have the new standard now, R2v3, that’s in use around the world.  This version seems even stronger for the various concerns for data security than R2:2013, which was of course stronger than the original R2:2008 version. Why is this new standard so important for data security with facilities around the world?

CD:  The new R2v3 standard recognizes those challenges that I talked about — challenges and competency, and challenges in reference to other standards.  R2v3 brought all that forward, I believe.  So we started with the creation of a plan. And really the exercise of requiring facilities to lay out all the different types of equipment they’re receiving, and the methods of sanitization that are being applied, so that they have that knowledge and repeatable knowledge to address all the different kinds and types of equipment, not just the hard drives.  So I think that’s really important here in what’s laid out in the core requirements in (R2)v3.  And then putting into to place those layers of controls in that process, and ensuring there’s a person responsible for data sanitization – the data protection representative, and all the things that are necessary in the operation just to have a secure environment.

But then, Appendix B takes it a step further for those facilities…really going to the enhanced level of data sanitization, the logical sanitization or wiping of devices… and it just brings all that clarity and focus to the forefront.  So it’s just not assumed — it’s actually something in detail to follow and to verify. So that’s why I think R2V3 is so important to make this transition.

RG: So in the last few minutes here, let’s talk about the practical applications, too, as we’re discussing this series of internal audits.  The requirements in the R2V3 standard call for a data security and data sanitization audit, at least annually.  So you need to find someone to do this audit with this level of expertise, but it can’t be somebody in the facility that does it every day. How should facilities go about finding somebody who is good enough to do this level of internal auditing for data sanitization and data security?

CD:   I think there could be a challenge based on size, and more so for the smaller companies that don’t have a lot of resources internally.   In a larger company it could be done internally with somebody who’s knowledgeable about data sanitization, who has shown that competency, just as long as they’re not the person actually doing the data sanitization or responsible for that function.   Externally, oftentimes we have to look for an external auditor or consultant — someone who is skilled in this area, more technical in nature, and understands data security, understands data sanitization, has completed training or has the work experience to be able to assess that.  It’s important that they’re independent so that they can be objective.

The process of doing this internal audit actually protects the facility.  It protects them from any data breaches, to ensure that there are no holes in their process, or in how it’s implemented and executed.  And that’s extremely important, not only to the facility, but to the customers of that facility. The number one concern here is data security and the risk of breaches.  This whole process of doing internal audits, actually could be seen as the opportunity to make sure that you don’t have any loopholes, and identifies areas that can be stronger, improved to prevent a potential data breach.

RG:  It seems as if as R2 has developed over the years and has been implemented by more places around the world, there are three main areas in which it is of concern and where R2 can be helpful — that of environmental concerns and sustainability and circular economy, then worker safety and protection of the communities in which the facilities are located, but third and almost equally important is data security issues.  Making sure that the companies receiving all these data containing devices have the ability to protect the data of the people who are sending them and trusting these companies to handle materials responsibly. Do you see any changes as as R2 goes forward with this three-part concern for our mission?

CD: No, I think those are solid, good practices that we always have to be focused on.  I think it’s really important to ensure, again to your point, that R2 certified facilities are meeting the standard because it’s important to the customers.

RG: So one more thing, Corey. How is a data security and sanitation auditor different from a legal compliance auditor, for instance, when a company is choosing someone for their internal audits?

CD:, Both require different core competencies, so they can’t necessarily be lumped together. One person could have all the required competencies.  Or it may be a facility has a person who’s skilled in looking at health and safety and those risks and hazards within facilities, and a different person who is skilled at looking at the technical side of things and the processes for data security and data sanitization.  So I think the competencies are different and that’s really important to call out when evaluating who to hire or who to use within the facility. To do the data sanitization audit, your IT director might be better at the data sanitization piece because they are technical in nature then say your health and safety professional.  So I think those are important distinctions to call out in the process to make sure you can get the best results that you’re looking for.

RG: Thanks so much for taking the time with us today, Corey. We really appreciate it, and we look forward to having people comment back and to continue this discussion about this really important topic.

CD: Thanks, Roger.

*********

RG: As I’ve mentioned before, at SERI we know how important an internal audit program can be, so in addition to these podcasts, we’re developing new training tools to help you, including new videos, information sheets and sample forms. Anything new is announced on the SERI website.  Search the Recently Added column on our Knowledge Base page.

That’s it for this episode of Ask the R2 Guru. Thanks for listening, and thanks again to Corey Dehmey and as always to the SERI team for their assistance in producing this podcast. You can find a complete transcript of my conversation with Corey in the Podcast section of the R2 Knowledge Base on the SERI website. You’ll find that at sustainable electronics.org.