This Web Exclusive is contributed by Andrew Kelleher, president of Security Engineered Machinery, a source of information security and services located in Westboro, MA.
By now, most facility managers have gotten the message about the need to shred important papers. The issue of identity/data theft is widely discussed, and paper shredders are now widely available and affordably priced, so it’s hard to imagine anyone just throwing important documents into the trash. Managers may have figured out paper, but what about other threats they might not be aware of? What about all those electronic records floating around the office?
As computers and other electronic devices become obsolete sooner and sooner due to new technology, disposal of sensitive information is of serious concern. Just one hard drive, CD, or DVD can contain thousands of files. When a digital file is “deleted” from a computer, the information actually remains on the hard drive, as do deleted e-mail messages and records of all online activity. These days it all can be recovered with sophisticated tools. This is worth remembering before donating old computers to a school, for example. In some cases, old computers are removed and resold by the vendor who installs the replacement computers.
The chart at the bottom of this article lists some obvious and not so obvious items that could cause significant problems if not disposed of properly. These items are: Computer Hard Disk Drives; Thumb Drives/Flash Drives/Memory Cards; Cell Phones/BlackBerries & Other PDAs; Optical Media (CDs/DVDs); Other Magnetic Media (Floppy Disks, Zip Disks, Computer Backup Tapes; Expired Inventory, Off-Spec Products, Prototypes; Card Cards/ID Badges; Audio, Video & Micro Cassettes; and Laser Printers & Fax Machines.
All of these items can be rendered harmless by one or more of five methods:
- Shredding: Reducing items to small strips via a paper shredder or industrial shredder.
- Degaussing: Using powerful magnets to permanently eliminate data from magnetic media.
- Disintegration: “Mechanical incineration” that continually cuts items into smaller and smaller pieces until they are unrecognizable and unreconstructible.
- Declassification: Physically grinding the data-bearing surfaces from CDs and DVDs.
- Crushing: Destroying hard drives by subjecting them to extreme pressure from a conical steel punch or similar device.
What about cost? Ideally, the decision to purchase destruction equipment should not be based on cost, but on potential risk. For some organizations, the peace of mind that comes from knowing sensitive records will never leave their facilities intact makes the investment worthwhile. Even so, many entities simply cannot afford to purchase this equipment for the relatively few items they need to destroy. In that case, outsourcing the destruction is an option.
Outsourcing can be affordable and safe when done properly. When considering this option, facility managers should be sure to do their homework:
- Ask about secure transport to the destruction facility.
- Ask how secure the facility is. Are job applicants thoroughly screened? Where will the items be kept prior to destruction?
- Ask what destruction methods will be used.
- Ask what happens to destroyed waste.
- Ask what proof you will have that items were actually destroyed. Are there IP cameras to record the destruction? Will the destruction be certified in writing?
If the answers to any of these questions are unsatisfactory, managers should look for another source.
Data security is an ongoing process, but by being aware of threats and understanding destruction options, facility managers will be in a much better position to protect their organizations.
(Click on chart for larger view.)