Why Information Must Be Destroyed

The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security

1 2 Page 2
Page 2 of 2

As to a formal process, there was a company that used a goat as their document shredder. While perhaps effective from a shredding perspective, it is clearly not a best practice approach, nor is it likely their lawyers signed off on that method. A goat eating away at paper is fine for the Far Side, but has no place in a formal document disposal process.

Security containers

As the need for information destruction has caught on, the ubiquitous security containers from companies such as Shred-it are found in many organizations. It is a good idea to have such containers readily available so staff can easily dispose of information that is no longer needed.

Containers generally come in three sizes:

  • Executive consoles: Generally used in high-profile environments. They have front loading which frees up the top space for office equipment and the doors swing open for easy removal and can be keyed alike. Approximate measurements 40" by 19" by 19"
  • Larges containers: 96 gallon security containers are used for heavy document production centers, purging sites, warehouses and high-traffic offices are especially popular for overflow conditions. Approximate measurements -- 43" by 24" by 37." They have the capacity to hold up to 15 boxes of paper.
  • Bulk containers: Used for larger production centers, areas that generate large quantities of confidential data and some e-scrap material. Approximate measurements: 38" by 43" by 29" and can accommodate up to 650-plus pounds of material.

As part of a security awareness program, make sure that employees are trained in the proper disposal and destruction of sensitive materials. You want to make sure that employees place papers in these designated locked destruction containers and not in trash bins, recycle bins, or other publicly-accessible locations. Also, make sure that they don't place materials that don't need to be shredded in these bins. Since many destruction companies charge by the bin or pound, placing documents in these bins that don't need to be shredded is a waste of money.

Some organizations use these secure information containers only for sensitive, but not highly confidential or secret information. Some organizations have polices that require highly confidential or secret information, because it is so sensitive, to be immediately destroyed. This lessens the risk that someone could break into a locked destruction container, or even steal the whole container and then break into it at another location.

In-house or outsource?

Document destruction, like other services, can be done in-house or outsourced. Which is the best way to go? Like every decision, the correct answer is the proverbial -- it depends.

There are two predominant types of shredding services available -- plant-based (offsite) and mobile (on-site).

  • Mobile-based shredding: Mobile shredders have the actual shredders on the truck itself. Mobile shredding companies provide bins or consoles for their customers and on scheduled days, the truck arrives at the place of business and the Customer Service Representative (CSR) collects the bins, or console bags, takes them to the truck, and shreds the material on the customer's premises. After completion the CSR will typically leave a Certificate of Destruction. Since the shredding operation is done on the customer's property, it is assumed to be more secure since nothing leaves unshredded. Often the customer will board the truck to ensure their sensitive material is indeed being destroyed.
  • Plant-based shredding: This is a typical off-site service where the plant has large industrial shredders. On the scheduled day, the CSR collects the bins or console bags, places them in his secure truck and transports them back to the remote plant where the bins are unloaded into a secured area. The collected bins are later staged for shredding, which can occur days later. Some view this as an insecure method since the documents may be left unattended. One other major caveat is that plant-based shredders may sort the material to maximize its recycling value which can put your organization at risk. Some of these off-site shredding companies are simply glorified recycling companies that get top dollar for recycling paper, your paper. Since their staff will sort the documents, they have the opportunity to take them. So before you choose a plant-based service, make sure you investigate them accordingly.

When dealing with an outsourcer, ensure that they are National Association of Information Destruction (NAID) certified. NAID is an independent organization that certifies destruction companies. Its certification program checks a shredding company's compliance in 22 critical areas, including everything from shred size to employee background checks. When it comes to something as critical as information destruction: caveat emptor. Unscrupulous shredding companies will claim to be NAID certified just to get your business. Make sure to ask for a copy of their NAID Certified certificate as proof of their standing. So what it depends gives you the right solution? There are potential security issues with both solutions. Mobile shredding is done with the CSR alone there and since the CSR is alone on the truck, they may have access to your confidential material.

With a plant-based approach, various plant employees have access to the material during the sort process. A paper sorter could conceal a sensitive document on his person and leave the property with it.

The bottom line is that either solution requires an amount of trust, but the final decision must be customer-based on what they feel the most secure solution is. This decision, like most, are a trade-off between level of security and cost.

A third solution is to do it yourself. While this may seem cheaper in the short-term, it can often be more expensive. And if you do it internally, there must be policies and procedures to ensure that destruction of sensitive information must be performed only with approved destruction methods including shredders or other equipment approved by the Information Security Department.

Irrespective if you use a mobile-based shredding or a plant-based shredding service, ensure that the service provider is NAID certified and that all documents are secured until they are destroyed. A good SLA is to make sure documents are completely destroyed within 24-hours and a Certificate of Destruction is provided upon completion of this process.

Conclusions

It is clear document destruction in today's world must part of a good system of business processes. This article describes a start of the process. The next article will get into more technical areas such as shred size, digital media and more.

But the bottom line is that if your organization is not careful about what they don't dispose of, it could become your competitors' good fortune and your worst corporate nightmare.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of "Computer Security: 20 Things Every Employee Should Know" (McGraw-Hill).

1 2 Page 2
Page 2 of 2
FREE Download: Get the Spring 2019 digital issue of CSO magazine today!