Industry View
Why Information Must Be Destroyed
The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security
By Ben Rothke, CISSP, PCI QSA
One of the most important aspects of a formal plan for information destruction is consistency. If an organization is inconsistent in what it destroys, this shows a lack of due diligence, in addition to the appearance to attempting to hide something.
As part of this formal process, realize also that there are many elements to data destruction that must be built into the process. One of them is the concept of a data destruction moratorium. The reason for this is that there are times when an organization must stop its data destruction activities. If a legal discovery request is received, policies must be in place to ensure that all organized and periodic data destruction activities must immediately be placed on hold until the Legal Department determines whether these destruction activities jeopardize sought-after data.
As to a formal process, there was a company that used a goat as their document shredder. While perhaps effective from a shredding perspective, it is clearly not a best practice approach, nor is it likely their lawyers signed off on that method. A goat eating away at paper is fine for the Far Side, but has no place in a formal document disposal process.
Security containers
As the need for information destruction has caught on, the ubiquitous security containers from companies such as Shred-it are found in many organizations. It is a good idea to have such containers readily available so staff can easily dispose of information that is no longer needed.
Containers generally come in three sizes:
- Executive consoles: Generally used in high-profile environments. They have front loading which frees up the top space for office equipment and the doors swing open for easy removal and can be keyed alike. Approximate measurements 40" by 19" by 19"
- Larges containers: 96 gallon security containers are used for heavy document production centers, purging sites, warehouses and high-traffic offices are especially popular for overflow conditions. Approximate measurements -- 43" by 24" by 37." They have the capacity to hold up to 15 boxes of paper.
- Bulk containers: Used for larger production centers, areas that generate large quantities of confidential data and some e-scrap material. Approximate measurements: 38" by 43" by 29" and can accommodate up to 650-plus pounds of material.
As part of a security awareness program, make sure that employees are trained in the proper disposal and destruction of sensitive materials. You want to make sure that employees place papers in these designated locked destruction containers and not in trash bins, recycle bins, or other publicly-accessible locations. Also, make sure that they don't place materials that don't need to be shredded in these bins. Since many destruction companies charge by the bin or pound, placing documents in these bins that don't need to be shredded is a waste of money.
data loss prevention
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
