Data destruction: Why you need NAID

Never heard of NAID? Ben Rothke says those four letters are important to your organization's ability to deliver security, privacy and compliance.

. What's this?

By Ben Rothke, CISSP, CISA

October 03, 2011

Here is what seems to be an easy financial decision. Your company needs to find a firm for your document and media destruction needs.

After doing research, you find two of the major players that each come in around $3,000- per month. You also find a few local firms that will perform what seems to be the same service for $750- per month. You don't have to be a financial wizard to make what seems to be a no-brainer of a decision—go with the cheaper local player.

Unfortunately, that would be a huge mistake, and could end up costing orders of magnitude more in the long run.


Just what is document and media destruction?

Document and media destruction is a pretty straightforward activity. The definitive document on the topic is NIST Special Publication 800-88 Guidelines for Media Sanitization. NIST defines destruction as "the result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive."


[Also read Rothke's Why information must be destroyed, part one | Part two]


Along with destruction is sanitization, defined as the "process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs."

But there is a lot that separates a good destruction firm from one that will put your company at legal, privacy, regulatory and compliance risk.

First off, when thinking about what needs to go into the shredding bin, many companies will often limit their set of data that needs to be shredded to simply financial statements and business documents. That's a mistake as there is a significant amount of data you have that isn't limited to just your bank statements and business contracts. Think of all the strategic documents, network diagrams, legal documents, and more. All of that can easily be used for identity theft, illegal business intelligence and corporate espionage.

Last but not least, don't forget about draft copies. Don't make the mistake of sending only final versions of documents to the shredding bin, and merely tossing drafts in trash.

With that, choosing a media destruction firm is not a trivial task that should be taken lightly.


Media destruction—not recycling

From the introduction, how could a firm sell the same services for $750 per month that other firms charge $3,000 or more to do? The answer is that some firms are not true destruction firms; rather, they are glorified recyclers.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER