Chapter 81 · Examples

Asset Management — Applied Examples

Real-world scenarios illustrating procurement controls, ownership gaps, degaussing failures on SSDs, certificate of destruction requirements, and data retention violations.

Example 1 Shadow IT: An Untracked Device Becomes an Unpatched Entry Point

A developer at a software company orders a small network-attached storage (NAS) device using a personal credit card, bypasses the procurement process, and connects it directly to the office network to share files with their team. The device is never registered in the asset tracking system.

Six months later, the NAS manufacturer releases a critical security patch for a remote code execution vulnerability in the device's web interface. The IT security team runs their monthly patch status report against the asset inventory — the NAS does not appear because it was never tracked. The patch is not applied. Three months after the patch release, an attacker scanning the organization's IP range finds the unpatched NAS, exploits the vulnerability, and uses the device as a pivot point to access internal file shares.

Post-incident investigation finds the root cause: the device was never in the asset inventory, so it was never in scope for vulnerability scanning, never assessed for firmware updates, and never monitored for anomalous network activity. The procurement bypass that seemed like a small convenience created a blind spot that persisted for nine months.

Lesson: Asset management is a security control, not just an administrative one. Every device that bypasses procurement and tracking becomes an invisible risk. "You cannot secure what you don't know you have" is not an abstract principle — it is the literal mechanism of this class of breach. Procurement controls and mandatory asset registration exist to prevent exactly this outcome.
Example 2 Degaussing SSDs: A Sanitization Method Applied to the Wrong Media Type

A healthcare organization decommissions 200 laptops. The IT team uses their degausser, which has successfully sanitized hundreds of HDDs over the years, to process all 200 drives. The drives come out of the degausser and are donated to a local school. The IT manager documents "degaussed" in the asset disposition records and considers the process complete.

One year later, a student at the receiving school plugs one of the donated laptops into a monitor and finds that it boots normally. The student navigates to the Documents folder and finds patient records from the healthcare organization — names, addresses, diagnoses, and insurance information. The student notifies the school, which notifies local media.

Investigation reveals the 200 laptops all contained solid-state drives. The degausser — which works by generating a strong electromagnetic field to destroy magnetic storage patterns — had no effect whatsoever on the SSDs. Flash memory stores data as electrical charge, not as magnetic patterns. The drives were returned from the degausser in exactly the same state they went in: fully functional, with all data intact. The entire "sanitization" process accomplished nothing.

Lesson: Degaussing is specifically for magnetic media (HDDs). It does not work on SSDs. Before choosing a sanitization method, verify the storage technology in the device being sanitized. For SSDs, appropriate methods are: cryptographic erase (if the SSD supports it and the encryption key is discarded), secure overwrite using manufacturer-certified tools, or physical destruction (shredding, drilling). The organization's media sanitization policy must distinguish between HDD and SSD devices.
Example 3 Certificate of Destruction Prevents Liability When Drives Are Found at a Reseller

A financial services firm retires 800 servers over two years. They contract with a certified media destruction vendor to shred all drives. The vendor provides a certificate of destruction for each batch: serial numbers, shredding date, facility location, and the vendor manager's signature.

Two years after the last retirement batch, a journalist reports that a used hardware reseller has been selling server drives containing financial data, including drives from several major corporations. Investigators trace some of the drives to the financial firm's asset inventory by serial number. The financial firm's legal team produces the certificates of destruction for every drive — including the three serial numbers the investigator found at the reseller. The certificates show those drives were shredded on specific dates, in a specific facility, before the reseller ever had them.

Conclusion: the drives at the reseller were not from this firm. The certificate of destruction provides incontrovertible evidence that the firm's specific drives were destroyed. The firm's legal exposure — and the potential FINRA investigation — is eliminated by the paper trail. Without the serial-number-matched certificates, the firm would have faced a lengthy investigation and potential regulatory action despite having done everything correctly.

Lesson: A certificate of destruction is not bureaucratic overhead — it is legal protection. The serial-number-level detail is what makes it effective. A generic "we destroyed 800 drives" statement provides no protection when specific serial numbers are investigated. Insist on certificates that match each drive's serial number from the asset inventory. This document is the chain-of-custody record that proves your organization's specific data was destroyed.
Example 4 Data Retention Violation During Litigation Hold

A technology company is sued by a former employee alleging discrimination. The company's legal team issues a litigation hold notice: all email communications involving the relevant department, time period, and personnel must be preserved and must not be deleted for the duration of the litigation.

The company's email retention policy is 90 days — emails older than 90 days are automatically purged from the server. IT receives the litigation hold notice but the automated deletion job is not paused for the affected accounts. Three months into the litigation, discovery requests arrive for emails from 18 months ago. The emails are gone — purged under the normal 90-day policy after the hold was issued but before the deletions were suspended.

The court finds that the company failed to preserve evidence despite having a legal obligation to do so. This constitutes spoliation of evidence. The judge issues an adverse inference instruction to the jury: the jury may conclude that the missing emails contained evidence unfavorable to the company. What began as a discrimination lawsuit now has a procedural finding against the company that significantly strengthens the plaintiff's position.

Lesson: Data retention policy must interface with legal hold processes. Automated deletion runs on schedule and does not know about litigation holds unless specifically designed to check. Retention policy must include a litigation hold override mechanism that immediately suspends automated deletion for affected accounts and data sets. The cost of retaining 18 months of email for a litigation hold is trivial compared to the legal consequences of spoliating evidence.
Example 5 Asset Tag Enables Recovery of a Stolen Laptop

A sales executive's laptop is stolen from a hotel room during a conference. The theft is reported to IT, which immediately triggers the MDM remote wipe for the corporate data partition. IT also notes that the laptop has an asset tag: a barcode sticker with the company name, a visible tracking number, and the phrase "PROPERTY OF [COMPANY] — REWARD FOR RETURN."

Three weeks later, local police contact the company. The laptop appeared at a pawn shop; the pawn broker photographed the serial number and asset tag during intake as part of their stolen property verification process. The tag number matched a police database entry from the theft report. The pawn shop holds the laptop, police recover it, and the company reclaims the physical device.

IT confirms the MDM wipe completed successfully within hours of the theft report, so corporate data was protected regardless of recovery. But the asset tag enabled physical recovery of the $1,800 laptop and provided evidence of the theft for the insurance claim. The theft deterrent value was also demonstrated: the pawn broker reported the suspicious device precisely because the prominent organizational tag made it obvious the device was not the seller's personal property.

Lesson: Asset tags serve multiple simultaneous functions: inventory management, theft deterrence (thieves prefer untagged items), recovery facilitation (tags create identifiable links to ownership), and insurance/legal documentation. The visible organizational label communicates "this device belongs to a tracked organization" to anyone who handles it after theft. The investment in asset tags is recovered in a single event like this one.