Disposing of Assets Containing Sensitive Information. Kim Doner, CPPM SRA International.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Kim Doner, CPPM
Unfortunately, sensitive information is often left in assets by agencies or private parties that transfer, donate, or sell assets to the public. This can pose a potential risk to you and your agency. Sensitive information has a wide array of markings such as Top Secret, Secret, Classified, Sensitive, Official Use, and many other types of labels, and sometimes it’s not marked at all! The items listed below may contain sensitive information.
VCR (tape) Cell Phones PDA’s Printers Hard drives USBs CD Rom’s CD Rom Drives Flash Drives Magnetic Tapes Copiers Memory sticks
Some of the material that businesses routinely throw away could be of use to a wide variety of groups including business competitors, identity thieves, criminals and terrorists.
Useful information includes staff names and addresses, telephone numbers, product information, customer details, information falling under the Data Protection Act, technical specifications and chemical and biological data. (Terrorist groups are known to have shown interest in the last two areas.)
Particular care needs to be taken to effectively destroy digital media that may contain the personal and contact details of staff or customers and company confidential data.
There are several methods that may be used for destroying sensitive media; however, before investing in waste destruction equipment you should:
Ensure that the equipment is up to the job. This depends on the material you wish to destroy, the quantities involved and how confidential it is.
Ensure that your procedures and staff are secure. There is little point investing in expensive equipment if the people employed to use it are themselves security risks.
Make the destruction of sensitive waste the responsibility of your security department rather than facilities management.
If you use contractors, ensure that their equipment and procedures are up to the standard you require.
Find out who oversees their process, what kind of equipment they have and whether the collection vehicles are double-manned, so that one operator remains with the vehicle while the other collects.
Paper shredders shred to many different sizes and the size of shred you use will depend on the type of information you are destroying.
Highly confidential material should be shredded using a cross-cut shredder producing a shred size no more than 15mm x 4mm.
This should ensure no more than two adjacent characters appear on any one piece of shred.
Paper shredders can also be used to destroy diskettes, CDs, and similar optical media by cross-cutting or shredding. The shred size should be proportional to the confidentiality of the data, typical fragments should be no larger than 25mm.
Incineration is probably the most effective way of destroying sensitive waste, including disks and other forms of magnetic and optical media, provided a suitable incinerator is used (check with your local authority).
Open fires are not reliable as material is not always destroyed and legible papers can be distributed by the updraft.
Metallic-based digital media can be destroyed by melting.
This reduces waste to a fibrous state and is effective for paper and card waste only.
Some pulping machines rip the paper into large pieces and turn it into a papier maché product from which it is still possible to retrieve information.
This is more of a risk than it used to be because inks used by modern laser printers and photocopiers do not run when wet.
There are alternative methods for erasing electronic media, such as overwriting and degaussing
Assettags (property tags) or any other identifying markings should be removed.
It is highly recommend that you or your recycler ensures all property tags are removed from your equipment.
This will minimize your agency’s risk of exposure from media attacks or a hacker who may attempt to compromise your agencies data.
Hard drives, if properly wiped with the proper software can be reused. Instruct your IT personnel to double check computers that are going to be taken out of service. From time to time some computers host two or more hard drives. Be sure to check all drives for removable media.
Ensure your agency or recycler has the capability to open CD/DVD caddies to ensure all discs have been removed. Most media that gets out into the general public comes from un-removed discs.
Printers/Copiers can also host a hard drive. Often, documents of sensitive nature are left in paper trays or printer spools.
Remove and destroy typewriter ribbons. Data is left on the used spool of the ribbon.
Re-format the drive. (Reuse) or destroy the unit when it becomes obsolete.
Cellular phones: Remove SIM card and destroy by crimping or cutting, (Please recycle the card) (Cellular phones are recyclable) or delete the information on the unit.
Floppies/CD’s should be shredded or degaussed. These items are recyclable. CD disks can be recycled into new products.
PDA’s should be erased (re-formatted) prior to resale or reuse or be disassembled into the state of a saleable commodity.
Other items that can maintain hidden storage of data and sensitive information are micro fiche, cameras, filing cabinets, safes, and answering machine cassettes.
Identity theft has become a major concern to law enforcement throughout the United States. It is the fastest growing crime, and affects more than 500,000 new victims each year.
Protect yourself at work and at home by double-checking that all (media/data) is destroyed or erased.
Media containing sensitive data should be clearly marked; however, when in doubt, treat all data as if it is sensitive!
(Photos of media provided courtesy of FPI UNICOR)