Data destruction: Why you need NAID

Never heard of NAID? Ben Rothke says those four letters are important to your organization's ability to deliver security, privacy and compliance.

Here is what seems to be an easy financial decision. Your company needs to find a firm for your document and media destruction needs.

After doing research, you find two of the major players that each come in around $3,000- per month. You also find a few local firms that will perform what seems to be the same service for $750- per month. You don't have to be a financial wizard to make what seems to be a no-brainer of a decision—go with the cheaper local player.

Unfortunately, that would be a huge mistake, and could end up costing orders of magnitude more in the long run.

Just what is document and media destruction?

Document and media destruction is a pretty straightforward activity. The definitive document on the topic is NIST Special Publication 800-88 Guidelines for Media Sanitization. NIST defines destruction as "the result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive."

[Also read Rothke's Why information must be destroyed, part one | Part two]

Along with destruction is sanitization, defined as the "process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs."

But there is a lot that separates a good destruction firm from one that will put your company at legal, privacy, regulatory and compliance risk.

First off, when thinking about what needs to go into the shredding bin, many companies will often limit their set of data that needs to be shredded to simply financial statements and business documents. That's a mistake as there is a significant amount of data you have that isn't limited to just your bank statements and business contracts. Think of all the strategic documents, network diagrams, legal documents, and more. All of that can easily be used for identity theft, illegal business intelligence and corporate espionage.

Last but not least, don't forget about draft copies. Don't make the mistake of sending only final versions of documents to the shredding bin, and merely tossing drafts in trash.

With that, choosing a media destruction firm is not a trivial task that should be taken lightly.

Media destruction—not recycling

From the introduction, how could a firm sell the same services for $750 per month that other firms charge $3,000 or more to do? The answer is that some firms are not true destruction firms; rather, they are glorified recyclers.

The recycling of paper and electronic media is big business. The reason such firms are able to offer such lowball rates, is that they simply take tons of your hard copy and other media, and act as a middleman, and sell it to recyclers, or do it themselves.

Just this month, federal criminal charges were brought against executives of a Denver, CO based electronic-waste firm. The executive were indicted on 16 counts, including wire and mail fraud, environmental crimes, exportation contrary to law, and destruction, alteration, or falsification of records, in connection with shipments of e-waste going to developing countries.

Angie Singer Keating, VP of Compliance & Security at Reclamere, notes that such glorified recyclers are rampant particularly in times of high commodity prices, such as now. Keating notes that when commodity prices are high (paper or metals), recyclers can crop up overnight, cut corners, and generally operate with unsustainable business models.

There are excellent firms both locally and nationally, but in this time of record high commodity prices, it is more important than ever to do significant due diligence on your vendor. The reason one service provider performs the same job for 60% less is because the cheapest guy is making his money on the back end revenue that your material generates for him. Keating observed that "the more expensive service provider will have industry certification, a very long operating history, and full-time bonded, background-checked employees". And that is certainly worth paying for.

Ryk Edelstein, CEO at Cicada Security Technology, notes that the firm that is charging more is doing so since they are able to offer an additional most important benefit, accountability. This is an essential consideration when engaging any external party who becomes an integral component of any critical business process.

The need for NAID

At Edelstein observed, accountability is an important aspect of the process. Be it professional certifications such as CISSP or GIAC, or international standards such as ISO/IEC 27001, one thing these offer is some semblance of accountability that the person or entity has the basic skill set in which to perform their required activities. Through an accredited authority such as a trade organization, one can ascertain the party has the required qualifications.

So how does a firm delineate between a reputable destruction firm and a glorified recycler? The National Association for Information Destruction (NAID) is the international trade association for companies providing information destruction services.

Robert Johnson, President of NAID has noted that "consumers need to look beyond just the method being used when it comes to document destruction. Being certified by NAID ensures that employment verification is being enforced, written policies and procedures are in place, and quality control is being checked."

So why do you need NAID? Let me give you an example that rings home the message. I was recently inquiring about a certain data destruction vendor. I emailed the company inquiring if they were NAID certified. The president of the firm replied to me that they were not. When I asked why, his verbatim email reply was: "I can explain why. Our service is the best. 800+ customers are my certification. If you would like us to be NAID certified, let me know. I'll be glad to sign up as a member of a self-anointed association and pass on the membership fee to my customers."

As a security professional, that was a horrifying response on numerous fronts. First off, the arrogance of the reply, combined with the condescending view of NAID was distressing. As to the notion of certification, this refers to the confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, or assessment. Customers are generally unable to confirm these, given there are using services outside of their area of expertise.

Of these vendors 800+ customers, I doubt that any of them would know such fundamental answers as the difference between a strip-cut and cross-cut shredder, or the recommended shredding particle size for paper and microforms.

That is precisely where NAID comes in. While NAID is a trade-organization, it also serves as a consumer advocacy organization. While the above vendor may have 800+ customers, it is likely that all 800 of them are clueless as to what makes for a good vendor.

[Also see Data breaches spark hard-drive shredding boom (includes video)]

As for NAID AAA certification, it is offered on a voluntary basis to all NAID member companies providing information destruction services. Through the program, NAID members may seek certification audits for mobile and/or plant-based operations in paper or printed media, micro media, computer hard drive destruction and/or computer hard drive sanitization. The NAID certification program establishes standards for a secure destruction process including such areas as operational security, employee hiring and screening, the destruction process, responsible disposal and insurance.

A look at the NAID certification application shows that it is made for the serious vendor. NAID certified organizations are audited annually by an ASIS CPP (Certified Protection Professional). This independent auditing service assures that NAID certified facilities and the people who operate them are performing to the highest standards in physical, operational, technological, and governance controls.

The real teeth of the NAID audit program are the unannounced audits to which all NAID companies. This feature of the audit program is a huge benefit to consumers. It means that NAID AAA certified companies aren't just compliant one day a year, but have to be perfect every single day.

It is important though to note that NAID membership and NAID certification isn't the same thing. Almost anyone can be a NAID member. But the best of them prove it with NAID AAA certification.

With all the value that NAID AAA Certification offers; the one thing that NAID needs to do a better job of is to more effectively market the program. It seems that not enough CISO, compliance and security managers know the value of the program and what it represents.

Choosing the right destruction firm

After finding a number of NAID certified firms, how do you then choose the firm that is best for your needs?

One of the things you should request in the RFP process is a detailed process-flow document. A capable firm will be able to show you the complete path that your data asset will take, from pickup or receipt, through its final disposition. In addition, an on-site tour of the vendor's facility is a must. While there, ensure that the details described in the firms process-flow document are indeed being followed.

Conclusion

In 2011, the myth of the paperless office means you have thousands of reams of hard copy that needs to regularly be destroyed. This is in addition to the myriad hard dries, backup tapes, USB drives and more that must be destroyed. This combined with never-ending concerns about data privacy, regulatory compliance, along with the continuously-growing capacity of data media, means that it is imperative that unwanted data storage components, be properly destroyed when it reaches the end of its useful life.

NAID certification provides effective due diligence and on-site audits. With that, the consumer of such services can be assured that the vendor they have selected is reliable, and not simply a glorified recycler.

About the author: Ben Rothke, CISSP CISA (@benrothke on Twitter) is an Information Security Manager with Wyndham Worldwide. The views expressed in this article are entirely his own, and not that of Wyndham Worldwide.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.