Even with all the sophisticated software and firewalls available and installed, basic carelessness or a failure to have simple procedures in place can quickly lead to serious IT security lapses. This week, we report on an inspector general's report that pinned a security problem on some Defense Department units that did not remove data from equipment before disposing of the hardware.

Several military units left Social Security numbers of military personnel and other data on hard drives before shipping the IT equipment to other organizations in violation of Pentagon rules. In one case, a Navy division did not erase phone numbers, email addresses, instant messages, and system log files from hard drives.

In addition, the report notes that some DoD guidance for equipment disposal was so out of date that it could not deal with certain newer data storage technologies. These kinds of errors have occurred before, with government agencies or contractors discarding computers without scrubbing them of sensitive, and sometimes even classified, information.

Earlier this year, there was a report of a hard drive purchased on eBay that reportedly contained the launch procedures for a U.S. military air defense system.  In 2006, there was a highly publicized report of a flash drive with U.S. spy data being sold in an Afghan bazaar for just $40. An investigation revealed that the data had been downloaded from an unencrypted hard drive. With security at all levels now central to any IT exec's job, where are the check lists to make sure that every situation is dealt with?

Every agency should have a chief information security officer (CISO) and the rules to make sure there are no gaps in security. Scrubbing computers about to be discarded or reused at another facility should be an automatic procedure. There are lots of software programs to help accomplish the task, and failure to do so is really unacceptable. - Judi