Media Sanitation

Team 2 -
Stan Craychee
Josh Heneby
Omar Parsa
Jonathan Bolton

CentrexIT
3934 Murphy Canyon Rd
Ste B102
San Diego, CA 92123
 1

Table of Contents

I. Executive Summary ___________________________________________________3

II. Business Analysis _____________________________________________________3
III. Current Process Analysis _____________________________________________4
IV. Proposed Process Analysis____________________________________________6
V. Solution Assessment and Justification________________________________7
VI. Proposed Implementation Plan_______________________________________9
VII. Conclusion ___________________________________________________________10
VIII. Exhibits_______________________________________________________________10
 2

List of Exhibits
● Current Logical DFD ______________________________________________________________12
● Current Logical Use Cases ________________________________________________________17
● Current Logical ERD ______________________________________________________________18
● Proposed Logical DFD_____________________________________________________________19
● Proposed Logical Use Cases_______________________________________________________24
● Proposed Logical ERD_____________________________________________________________25
● Proposed Physical DFD____________________________________________________________26
● Proposed Physical ERD____________________________________________________________32
● Interview 1 Notes__________________________________________________________________33
● Interview 2 Notes__________________________________________________________________34
● Expected Risk Matrix______________________________________________________________36
● Gantt Chart________________________________________________________________________37
● Current Standard Operating Procedure provided by CentrexIT__________________43
 3

I. Executive Summary
The Media Sanitation process at CentrexIT is currently ineffective, and it
is not compliant with the National Institute of Standards and Technology (NIST)
guidelines. The current procedure is difficult to follow, and many client assets
are not making it through the process to completion due to a disorganized
tracking process. CentrexIT estimates that 50% of the media that they receive
are not making it through the entire process or are wiped by a non-NIST
compliant program. The proposed system will incorporate Wasp’s AssetCloud
barcode scanning software for inventory management to replace the old
handwritten notes system. The potential implementation of the Barcode
Scanning Inventory Management software and hardware will cost approximately
$1188 annually. For our system, we will only be using the NIST Certified
software Blancco for wiping drives instead of using the non-NIST Certified
Parted Magic software. It will cost an estimated $1,250 a year on licenses to wipe
drives with Blancco. Also, the new process replaces the current method of
storing media devices in an unsecured cardboard box with a locked storage
container. Overall, our proposed system will help CIT technicians track, keep
secure, manage, reprovision, wipe, and destroy media more effectively. Our
proposed solution removes the risk of lawsuits for lost data. Also, 100% of all
media will now be wiped with NIST compliant software compared to 50% before.

II. Business Analysis

A. Overall Enterprise
1. CentrexIT is a small San Diego, California based IT consulting
company that sets up IT infrastructure and provides various IT
services for companies and organizations. They primarily conduct
business with hospitals and other organizations in the healthcare
industry. CentrexIT provides companies with cybersecurity and IT
services to improve their efficiency and better serve their clients.
They focus on industries like medicine, where security and
regulations make for more challenging problems. CentrexIT
 4

focuses on proactive support and emphasizes discovering and

solving potential issues before they become problems.

2. We aim to reduce the risk of lawsuit/liability at CentrexIT by

increasing the effectiveness of the media sanitization process from
50% to 100% and make the process NIST compliant.

B. Specific Business Area

1. We aim to increase the amount of media correctly wiped/destroyed
and certified from 50% to 100% with more effective documentation
by the end of February 2018. We are also going to increase security
for sensitive media by 100%. Our goal is to get CentrexIT 100% in
compliance with the National Institute of Standards and
Technology (NIST) guidelines for media sanitization (NIST 800-88
r1 compliant) because CentrexIT’s current media sanitization
process is not entirely in line with the NIST certification standards.

2. One of CentrexIT’s directives is that the media sanitation program

must be NIST compliant. There are numerous problems with the
current system such as a lack of proper documentation to track
media, lack of security for storing media, and the use of non-NIST
compliant software. Our proposed solution has the opportunity to
increase the efficiency of CentrexIT’s program by implementing a
streamlined approach to media sanitation.

III. Current Process Analysis

A. Current Physical Process Narrative
The current physical process starts when the client or a CentrexIT
technician brings a hard drive or computer into CentrexIT (CIT)
headquarters. CentrexIT’s Help Desk Manager then creates a ticket on a
third-party application called ConnectWise if the client hadn’t previously
emailed CentrexIT to create one. Next, the technician marks the hardware
with colored stickers to indicate if the device is E-waste or has had all
storage media removed. The CentrexIT tech then checks the device for
 5

anything the client may still need from it both manually and with a third-
party application called BelArc. This check is done to find any leftover
software or license keys. Technicians save the BelArc scan to a CentrexIT
client data repository in CentrexIT’s server 63. The CIT tech then places a
sticky note containing the device serial number and client name on the
device. If there is no serial number available, the model number or the
user from the c: drive will be used. Then the CIT tech stores the devices in
a cardboard box (with attached sticky note and colored sticker still on
device) and the sanitization process begins. A secure media sanitization
vendor who is ISO 9001 certified (ProShred) is dispatched to CentrexIT
HQ at the end of each quarter to provide onsite destruction of any storage
media scheduled for disposal. ProShred provides a receipt of all storage
media destroyed with serial numbers for clients at their request (the
receipt from ProShred acts as an official certification of destruction). For
repurposed media, CIT personnel performing the sanitization will run a
third party data removal program called Parted Magic when they know
that the client doesn’t need the log. This program is NIST certified, but
does not give a certificate of proof upon completion and provides a low-
quality log of the wipe. A CIT tech will use a program called Blancco when
the client specifically asks for a certificate of proof that device was wiped
and/or wants the log. Blancco provides a NIST approved wipe, but also
provides a detailed log uploaded to a cloud server along with an official
certification of the wipe. Blancco charges per license to wipe data but
Parted Magic does not; however, CIT needs to use Blancco to remain NIST
800-88 r1 certified as a media sanitation provider. The CIT tech then
reinstalls anything necessary from the BelArc system inventory scan
which is saved to the client data repository file. The CIT tech returns the
computer/device back to the client along with the certification for the
wipe if required. At the end of the wiping or destruction process, the help
desk manager closes out the ConnectWise service tickets through email.
The help desk manager only knows which tickets to close by cross-
checking the receipt of destruction and the media wipe logs with the
service tickets. Finally, a CIT tech will return the repurposed media
devices (with the wipe log if requested) to the client or the client can
 6

come pick them up. Then the CIT tech will give the receipt of destruction
to the client for destroyed devices.

B. Summary of Problems, Opportunities and Directives

The problem with the current process is mainly in regards to lack of
documentation. There are no log sheets to show the movement of items.
Another issue is that technicians are not using a certified wiping method
every time, which could potentially lead to lawsuits. Also, there is a
security problem with using an unsecured cardboard box to store devices
with sensitive client data on them. Opportunities include integrating
more automation into the system by adopting an inventory management
system using a barcode scanner for logging and tracking. A directive is
that we must get CentrexIT fully NIST certified for media sanitation
within their industry.

IV. Proposed Process Analysis

A. Proposed Technical Solution, Overview
Our proposed system fixes the media sanitization process at
CentrexIT by providing them with the ability to log, track, and certify any
media sanitization that happens with an application that tracks inventory
and shows ownership of tasks.
Our proposed technical solution is to use the Wasp Barcode
Scanning Inventory Management System called AssetCloud for inventory
management. This system gives the ability to use barcode labels to log
and track the media going through the sanitation process electronically
and securely. The CIT tech will review the AssetCloud inventory database
quarterly or as needed for accuracy and electronically sign their name in
the log to show that a CIT tech has verified it. Also, by having the logging
system be electronic rather than just a physical log, CentrexIT will be able
to store the media sanitation records securely each year in a repository for
auditing.
Our proposed solution also moves CentrexIT from using a non-
NIST certified media wiping program called Parted Magic (which they
 7

currently use for approx. 50% of media wipes) to using a NIST certified
program called Blancco (which they currently use for approx. 50% of
wipes). CentrexIT will stop using Parted Magic altogether, and instead use
Blancco for 100% of device wipes. Using Blancco in place of Parted Magic
ensures that CentrexIT remains NIST certified for their media sanitization
process as well as it provides CentrexIT with an actual PDF certificate
with each wipe (Parted Magic gives no certificate) which can then be
downloaded, signed off, and given to the client with the repurposed
media. Blancco provides a much more detailed log of the wipes than
Parted Magic, and Blancco’s log of the wipe is uploaded to a cloud server
while Parted Magic’s is not.

B. Proposed Physical Process

Our proposed physical process replaces the unsecured cardboard
box for storage of media devices with a fully secured bin. This ensures the
security of clients’ sensitive data on the devices. Also, CentrexIT will stop
using sticky notes as their physical method of identifying devices, and
instead they will start using printed barcode labels and the Wasp Barcode
Scanning Inventory Management System, AssetCloud, on their company
computers for logging and identifying devices. CentrexIT will stop using
Parted Magic as a data removal program for all client devices and will
exclusively use Blancco. When ProShred (third party media sanitation
vendor) destroys media for CentrexIT on site, they could use CentrexIT’s
barcode scanner as they go through the destruction process to track the
destruction of devices in real time.

V. Solution Assessment and Justification

A. How your solution addresses enterprise and business area issues,
performance measures and process P/O/D
The enterprise problem our solution addresses are the possible
lawsuits resulting from the use of non-NIST certified methods for
reprovisioning devices. A critical success factor for CentrexIT is they
need to be NIST 800-88 r1 certified for the media sanitation business
area. Regarding performance measures, our solution will increase the
effectiveness of the media sanitization process from 50% to 100% and
 8

make it NIST compliant. This will eliminate any threats of lawsuits

stemming from non-NIST certified methods for reprovisioning devices.
CentrexIT’s strengths lie in their ability to provide stellar service to their
clients while at the same time remaining compliant with industry
standards. Their weakness, however, is in their current method of
tracking the media sanitation process, where they store the media
devices, and how they wipe media devices using a non-NIST compliant
program. There is an opportunity here to improve CentrexIT’s media
sanitation logging and get them up to NIST compliance. Our proposed
solution provides the opportunity for CentrexIT techs to use their mobile
phone with AssetCloud so that they quickly log media remotely. We will
reduce the threat of theft by replacing their old storage method with a
secured bin.

B. Benefits and Consequences

1. Tangible
a) Benefits - Tangible benefits of the new process include the
ability to track the progress of media devices going through
the sanitation system and make auditing easier by having an
electronic log. It will increase the effectiveness of the media
sanitization process from 50% to 100%. Our system will also
keep CentrexIT NIST certified as a media sanitation service
provider.

b) Consequences - Tangible consequences include taking

more time to store media devices, mark, and log devices.
Consequences of not implementing our proposed solution
leaves media devices unsecured, no certified wipe logs for
data wipes, and will put CentrexIT at risk of losing NIST
certification. Also, there could be future lawsuits totaling
over $1.5 million as well as the possible theft/loss of
sensitive client data due to using an open cardboard box to
store media devices rather than a locked container.

2. Intangible
 9

a) Benefits - The biggest intangible benefit our proposed

solution provides is the reduced risk of lawsuits for loss or
misuse of data. Improperly handled client data could result
in a lawsuit of up to a maximum of $1.5 million.

b) Consequences - An intangible consequence of not

implementing our proposed solution is a loss of customer
faith due to not being NIST certified.

C. Winners and Losers

1. Beneficiaries - CIT technicians win because our solution will make
it easier for them to comply with NIST standards as well as making
it easier to track media digitally rather than manually. Blancco will
gain 50% more CentrexIT paid license wipes because of the
discontinued use of Parted Magic. Wasp is also a winner because
they will gain an annual revenue of $1,188 from CentrexIT for their
software license. Clients can rest assured that their media devices
are locked away somewhere secure and will be tracked and
repurposed or destroyed in the future using 100% NIST compliant
methods.

2. Losers - Parted Magic loses in our proposed solution because

CentrexIT will no longer be using their services for data wipes.

D. Feasibility Analysis
1. Operational
Given our analysis, our proposed system will work in this
organization. There is little required training to implement the
proposed system and CentrexIT already owns a barcode scanner
(usually these cost up to $1,000) and a barcode label printer.
CentrexIT has the means to afford Wasp’s AssetCloud system. They
already have a securable container, so all they need is a new lock
that would cost no more than $10.
 10

2. Technical
Our chosen organization can handle the technical aspects of
our solution. They already have the necessary hardware and most
of the software in place to implement the proposed system.
CentrexIT is familiar with and could easily use all the proposed
hardware in our solution, and learning how to use Wasp’s
AssetCloud (which is similar to an Excel spreadsheet) should not be
a problem for the tech-minded IT professionals at CentrexIT.

3. Schedule
Regarding the schedule feasibility, our organization can
acquire, develop and implement our solution in their specific time
frame (CentrexIT’s deadline is the end of the next quarter) by the
end of the first quarter in 2018. If prioritized, our proposed system
would not take them more than two months to implement.

4. Economic
The cost of the Wasp Barcode Scanning Inventory
Management System, AssetCloud, is $1188 for one user account
per year. CentrexIT will only need one user account. Blancco will
cost $5 per license (one license equals one device wipe). On
average, CentrexIT wipes 250 drives a year leading to $5 x 250 =
$1,250 in wipe costs annually. Proshred will cost $3.95 per drive if
the number of media drives being destroyed exceeds 500. If the
number of media drives is under 500, then it will cost $4.25. On
average, CentrexIT destroys 1,000 drives per year (around 250 per
quarter) leading to $4.25 x 250 x 4 quarters = $4,250 in destruction
costs annually. After implementing our proposed system,
CentrexIT will be less at risk of a costly lawsuit caused by the
potential loss of data or lack of certifications.

VI. Proposed Implementation Plan

A. Buy and Test
1. The proposed system is a modified version of the legacy system, so
the process structure is already in place.
 11

2. The procurement department will purchase the Wasp Barcode

Scanning Inventory Management System.
3. Techs will build the database files with the necessary fields
relevant for tracking the media once the procurement team
purchases the inventory management system.
4. Test run the new process.
5. Remove the use of Parted Magic from the SOP and add all
necessary changes.
6. Train the CIT techs on the new process.

B. Deliver the New System Into Operation

1. Since much of the sanitation process isn't being followed, the new
process can be started directly.
2. Legacy documentation will be saved for 5 years.

VII. Conclusion
Our system should be adopted because it increases security, keeps
CentrexIT NIST certified, provides effective documentation, and our system is
feasible given CentrexIT’s technical, operational, and economic abilities. Our
proposed system guarantees that CIT will receive all the benefits it has to offer
by the end of the first quarter in 2018 if implemented. CentrexIT is running the
risk of facing millions of dollars in lawsuits in the coming years and possibly
losing massive amounts of client data if they do not implement our proposed
solution. Our proposed system could easily be up and working within weeks and
would solve all of the problems associated with the current operating procedure.

VIII. Exhibits

B. Current System Logical Design - Models

1. Current Logical
a) Context
 12

b) Functional Decomposition
13
 14

c) Level - 0

d) Mid-Level and Primitive

15
 16

e) Use Cases
 17

2. Data Model - Entity Relationship Diagram

 18

C. Proposed System Logical Design - Models

 19

1. Proposed Logical
a) Context

b) Functional Decomposition
20
 21

c) Level - 0

d) Mid-Level and Primitive

22
 23

e) Use Cases
 24

2. Data Model - Entity Relationship Diagram

 25

D. Proposed System Physical Design - Models

1. Proposed Physical
 26

a) Context

b) Functional Decomposition
27
 28

c) Level - 0
 29

d) Mid-Level and Primitive

30
 31

2. Data Model - Entity Relationship Diagram

 32

c. Other exhibits
 33

Interview #1 form
CentrexIT
Get an understanding of the landscape at the company regarding strategy, goals, systems in place, important processes that
support that strategy and goals, desires.

Goals -
•What are your organization’s overall goals for this year?
•What needs to happen for that to happen?
•How do your information systems help you get there? Or not.
•What specific goals do you want from your apps and systems?

Systems in Place -
•How do your information systems help you reach organizational goals? Or not.
•What applications and systems are you using the most right now?
•How are they working out for you?

Important processes that support strategy, goals, & desires.

•What business process can we take a look at for you?
•What problems do you see with that process now?
•What possible solutions have you thought of?

Performance - throughput/ease of navigation

How do you design your technology strategies to be scalable?
Info - data quality

Econ - cost/ROI
Labor hours and costs. Data collection = collecting #s. Analyze later
Process in scope.
Control & security - strike a balance
How do you keep your IT infrastructure secure?
Efficiency - resource use/unit of output

Service - customer satisfaction

How does your business help business owners and managers reduce stress and increase productivity?
Can you tell us more about each of your 4 services?
CloudIT
CloudSync
ManageIT
BuildIT
 34

GrowIT
How do you make client’s IT infrastructure secure?

organizational/human interface
Finance and marketing work together, does that interface work well and how is it supported by info systems?
SAP has interfaces for customers, how do contract terms get communicated
How does the interface work between people in the organization?

What parts exist in their process

Consulting process, building process, consultant training process, hiring, management decisions, it affiliate
Identify pieces of process we are talking about

Interview #2 Form
Current Process Analysis
What is the standard operating procedure?
What people are involved in the process?
What technology is involved in the process?
System requirements?
What kind of standards and policies are there for the process?
What kind of performance measures? How to measure success or customer satisfaction?
How is media sanitation scheduled?
What is the problem with the current process? (Keep asking why to get to the root cause) is there a cause to the problem? Is
there any part of the old system that you really didn’t like (even if it works)?
What were your ideas for a new system and why aren’t those plans working out how you’d like? Proposed physical? Proposed
logical?
What does the new system need to do? For CentrexIT, for the customer?

Performance (throughput/ease of navigation)

People: How is employee performance measured for media sanitation?
Data: How quickly does the system need to operate?
Procedure:
Interface:
Technology: How is the system supporter or maintained? w/ fixes or updates?

Information (data quality)

People: What information do you gather from the customers?
Data: How is media sanitation data stored/documented? What formatting does the info need to subscribe
to? How are receipts handled?
Procedure: Are there data redundancy reduction procedures?
Interface: How is the data organized?
Technology:

Economics (cost/ROI)
People:
Data:
Procedure: How are costs traced? Are the costs too high? What would be considered too high?
 35

Interface: How are the order costs processed between you and the customer? What transaction processing
service is used?
Technology: Do you use any software that helps w the costs?

Controls & security (strike a balance):

People: What people are in charge of the controls and security
Data: How is data kept secure? Does it go through any input validation?
Procedure: What security procedures are in place for media sanitization, how is data made accessible?
Interface:
Technology: What programs and devices keep the process secure

Efficiency (resource use/unit of output)

People: How many people does a media sanitation order take to fulfill? How much time does it take?
Data: How do you make sure materials or time isn’t wasted?
Procedure:
Interface:
Technology:

Service (customer satisfaction)

People: Who are the power users of the system
Data: How is customer satisfaction measured? Are there ways for customers to provide feedback?
Procedure: What kind of data or physical component exchanges happen and how are those exchanges
organized?
Interface: Is the system easy to use for the customer? Easy to learn?
Technology: Is the system flexible to change? If the customers decide they want something different or
tweaked?

Closed-Ended Questions
• How many telephone orders are received per day?
• How do customers place orders?
• What information is missing from the monthly sales report?

Open-Ended Questions
• What do you think about the way invoices are currently
processed?
• What are some of the problems you face on a daily basis?
• What are some of the improvements you would like to see in the
way invoices are processed?

Probing Questions
• Why?
• Can you give me an example?
• Can you explain that in a bit more detail?

High-level: very general How can order processing be improved?

Medium-level: moderately How can we specific reduce the number of times that customers return items they’ve
ordered?
Low-level: very specific How can we reduce the number of errors in order processing (e.g., shipping the wrong
products)?
 36

Expected Risk Matrix

Percent Likelihood Potential Loss Incurred
scenarios

Worst (10%) $2,000,000 $200,000

Most likely (75%) $350,000 $262,500

Best (15%) $50,000 $7,500

Total:100 % Total Loss (Expected Value

of Liability): $470,000
37
38
39
40
41
42
43
44
45
46