Home » Data Protection » Application Security

Industry View

Why Information Must Be Destroyed

The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security

By Ben Rothke, CISSP, PCI QSA

Page 3

Just trash it all: The Enron approach
Once made aware of the need many organizations take a knee-jerk reaction by gathering all stored hard copies and simply disposing of them. But that does not solve the problem for a number of reasons.

First, there are legal and regulatory requirements that mandate that paper documents be retained for specific periods of time. Additionally, throwing things directly into the dumpster exposes companies to dumpster divers. As detailed above, dumpsters can be a great source of information.

There is another reason why the trashing of daily records without appropriate destruction is dangerous. If you simply throw out trash and it gets into your competitors' hands, they can easily correlate and learn about your business activities.

By way of example, SIM software can take seemingly disparate log items and correlate them into an active attack; so too with your trash. Your daily activities are similarly manifest in your trash. From daily activities, phone records, travel plans, RFP submissions, memos, and much more, your business can be exposed if this information is not properly destroyed.

If Enron is the poster child for inappropriate document destruction, those organizations seeking to do document destruction precisely should consider obtaining the Media Disposal Toolkit from Network Frontiers. The toolkit contains everything an organization needs to know about data disposal. It includes a spreadsheet of unified common controls, work breakdown structure with processes and procedures and a data deletion management documentation on the policies and standards that organizations must adhere to in order to be in compliance with global regulatory mandates.

Regulatory issues
Various regulations must be taken into consideration also. For example, Sarbanes-Oxley addresses the destruction of business records and documents and turns intentional document destruction into a process that must be carefully monitored. If the process is not followed, executives can find themselves under indictment. Having formally documented data retention and policies are a requirement.

SoX raises the legal stakes for destruction of corporate documents and includes numerous provisions that create and enhance criminal penalties for corporate fraud and obstruction of justice. SoX section 1102 makes it a crime, punishable by fine and imprisonment for up to 20 years, to corruptly alter, destroy, mutilate or conceal a record, document or other object with the intent to impair the object's integrity or availability or use in an official proceeding or to obstruct or impede an official proceeding. SoX section 802 states that "whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."