Inside TDV - The Data Vault Blog
Get Your Shred Right
Think about the way that we “destroy” records on computer hard drives. We delete files or download any number of software programs that claim to overwrite hard-drive data. Some of these programs are truly effective means of data erasure. Given the time to verify the source and reliability of the software, records managers may find than an overwriting tool, such as Secure Erase, available at no cost from the Center for Magnetic Recording Research (CMRR) at UC San Diego, provides adequate ease of mind that a hard drive has been “cleaned” prior to sale or refurbishment.
However, if a computer is being retired, then the best way to ensure disposal of confidential records and sensitive information is to physically destroy the hard drive by pulverizing, incinerating, disintegrating or shredding the electronic storage media. The National Institute of Standards and Technology, Special Publication 800-88, Guidelines for Media Sanitization updated in 2006, puts it in these terms: Destruction of physical media is the ultimate form of sanitization.
Since many organizations already have policies and procedures for shredding print documents, adding electronic storage media can be an easy update to the disposition policies. For a starting point, see the NIST Media Sanitization Decision Matrix (Table A-1, Guidelines for Media Sanitization) and Carnegie Mellon University’s Guidelines for Data Sanitization and Disposal, published by the CMU Information Security Office. Together, these guidelines help define best practices for destruction of electronic storage media and offer examples of matrices for minimum destruction requirements. Before you set information policies for your organization, consider your unique practices, resources and regulatory requirements.
As with most things, there are levels of quality and effectiveness for shredders. For print records, a spaghetti-cut (straight) shred can—given enough patience—be reconstructed, but it is better than no shred at all. However, straight-shredding is not nearly as effective as reducing records to cross-cut paper shards. When evaluating shredders for your facility or equipment at a vendor site, be sure to determine the machine’s capabilities, including the cut-type and particle size to which your destroyed media will be reduced. This information should be carefully documented for your records program files and compared against the level of data confidentiality that you maintain for your records and sensitive information.
The NIST Guidelines allow that shredders can be used to destroy flexible media. Outer containers must be physically removed prior to shredding. The 2006 update requires use of optical disk media shredders or disintegrator devices to reduce media to particles that have nominal edge dimensions of five millimeters and a surface area of twenty-five square millimeters. The NIST guideline for shredded paper particles is 1 x 5 millimeters in size. For shredded material, consider retaining a small bag to verify cut and particle size. This evidence should be stored along with the destruction certificate to verify adherence to your policies and procedures.
In a recent post, I wrote about the importance of understanding the network as a physical location, where information resides and can be recovered (sometimes even when we think that it cannot). The physicality of electronic storage media remains a factor for records managers to consider throughout the records lifecycle, including destruction. If you’re already using a cross-cut shred for paper, consider the benefits of adding SIM cards from mobile phones, USB/thumb drives, CD/DVDs, memory cards, routers, computer hard drives and other electronic storage media retired from use in your organization.
Document your destruction process with a list of all hard drives and other electronic storage media that your organization has sanitized, degaussed or destroyed. For all destructions, include date, volume, destruction method and certificate of disposal.
Written by: AGriffin