When selecting an outsourced firm, required that they be NAID certified. The National Association for Information Destruction (NAID) is an independent organization that certifies destruction companies. It offers a program certifying its members as complying with best practice for the handling of data storage hardware. Its certification program checks a shredding company's compliance in 22 critical areas.
As the industry watchdog, NAID ensures that its constituent members adhere to industry best practices. Any data destruction organization that is not a NAID member and certified should be dealt with cautiously.
When it comes to something as critical as information destruction -- caveat emptor. Unscrupulous shredding companies will claim to be NAID certified just to get your business. Make sure to ask for a copy of their NAID certificate as proof of their standing or look them up online at the NAID website.
During your consideration of each aspect, speak to trusted associates and ask the vendor for references. The following points can help you in your decision:
In-House Destruction--Advantages
o Media never leaves your location, so there is no risk of loss in transit
o Data is destroyed by your own trusted staff.
If you do decide to do this internally, it is recommended that all destruction activities be carried out under the office of the CISO, and by a trained and trusted technology support technician.
In-House Destruction--Disadvantages
o Destruction systems can be expensive
o Low volume makes a longer time for ROI
o Staff with other duties may miss devices
o Must manage internal personnel and technology changes
o Lack of space and/or resources for proper segregation between destroyed and non-destroyed units
o Still must have a qualified vendor to deal with residual waste and/or drives that fail sanitization/wiping process
o Time-consuming process
o Disposal of residual material--When you destroy any type of electronic device you must dispose of the residual material in an environmentally compliant manner. The shredding of tape cartridges for example is incredibly messy, and you can wind up with three times the volume of material. In some states, on-site physical destruction of any type of electronic devices may be a prohibited activity under state environmental laws.
Outsourcing--Advantages
o No initial capital investment required
o Can handle varying destruction needs (disintegration, degaussing etc.)
o Can handle varying volume needs
o Experts at data destruction utilizing best practices
o May have even higher security standards than your location
o No need to manage personnel and technology changes
o Regulatory compliant residual disposal
o If litigated, professional secure destruction services destruction documentation is more credible than internally generated processes.
Outsourcing--Disadvantages
o Media may be transported outside of your location
o May get locked into a bad contract
o May require minimums greater than your needs
o Data is handled/destroyed by non-employees
o If hardware is not disposed of properly, you could be included in a pollution liability case.
Site Visits
If the decision is to outsource, a site visit to their destruction facility is a must. Rather than taking the salesperson's word for it or basing your decision on their marketing glossies, site visits let you know what the company is really like.
During the visit, make sure they have appropriate access control and other security controls in place. This should include alarms, closed-circuit television, mantraps, etc. Ask the vendor for assurance that their employees are trained, bonded, and have passed background checks.
Look around and see how professional the employees are. Are they in uniforms? Are they wearing appropriate safety paraphernalia? Ask to see their documented procedures on how they process incoming items. Ensure that it has appropriate security and quality assurance measures in place. When you leave, you should have a good feeling that it is a reputable firm, staffed with trained professionals.
Once you have decided on an outsourcing firm, regular unscheduled visits to its facility are in order. This ensures that it is indeed a quality organization, and was not simply putting on an act.
Relevant Documentation
There is a lot of good information available to assist you in your data destruction endeavors.
From a policy perspective, there are a number of good policy documents, including:
o Royal Canadian Mounted Police Hard Drive Secure Information Removal and Destruction Guidelines [PDF]
o Cuyahoga County Information Services Center Disposition of Obsolete Equipment Plan [PDF]
Other excellent resources include:
o Best Practices for the Destruction of Digital Data
o Hard Drive Disposal: The Overlooked Confidentiality Exposure [PDF]
o NAID Information Destruction Compliance Toolkit
o Storage & Destruction Business magazine
Taking Data Destruction Seriously
Irrespective of which data destruction technology and methods you choose, what's crucial is that organizations take data destruction seriously. This means ensuring it's a formal process, not something done in an ad-hoc manner.
For example, there are companies that will send you a flat-rate drop box to place all of your old media into, and they will come and pick it up. Some of these boxes can hold up to half a ton. Imagine placing a few hundred hard drives in such a receptacle; this would be a hacker or business intelligence analysts dream come true. For the determined attacked, they will see such a box a veritable pool of retired devices waiting for harvesting.
If anyone is going to seriously consider such a service, they better have a plan A' first, such as physical destruction or degaussing. While such a solution is adequate for old monitors, printers and telephone gear, it is far too risky to use as a destruction solution for confidential data.
Dan Bayha, VP of Technology Disposal at Ogdensburg, NJ-based media destruction firm Back Thru The Future, notes that such a formal process is done by following a plan of segregation, inventory and isolation.
o Segregation--separate all storage devices and media from others to be disposed of materials. Specifically remove all hard drives from to be disposed of PCs, laptops and servers.
o Inventory--Establish the chain of possession of the data storage device. Best practice is to establish the connection of a particular storage device to the unit it was removed from and using internal asset management records to be able to track the machine back to the actual user.
o Isolation--Using secure collection containers, isolate the inventoried data storage devices in such a manner as to prevent unauthorized removal from the destruction process.
Conclusions
There is a lot more to data sanitization than what has been described in this brief article. But data sanitization is a necessary component of any security policy that is compliant with any of the current privacy initiatives. The inadvertent exposure of confidential information bears very significant consequences and penalties that include financial penalties and in some cases incarceration.
If your organization is not careful about effective media sanitization, your data loss incident could become your competitors' good fortune and your worst corporate and legal nightmare.
Ben Rothke CISSP, PCI QSA (ben.rothke@bt.com) is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education). Ben would like to thank Ryk Edelstein of Converge Net Inc. for his technical assistance.