In our last blog, Protect Your Business, Employees and Customers From Identity Theft!, we discussed why data destruction should be a priority in your institution or business. In this follow up, we offer a best practices approach to data destruction for your organization to consider when evaluating potential vendors.
In the digital age, data destruction is the foundation of business processes that safeguards your employees’ and customers’ identity. No matter if you’re a school, corporation, hospital etc., there is going to be unique information that cannot be allowed to get into the wrong hands. As you review your vendor’s process, consider whether it would satisfy an audit or would it be seen as a security breach?
Your organization should have a regular evaluation and destruction cycle. Since larger organizations often retain more information than smaller ones will, larger ones should evaluate and destroy with more regularity; perhaps as often as quarterly.
Close Asset Control
An excellent program will have the following features:
- All data storage assets earmarked for destruction will be collected in a central location, with the organization’s IT premises.
- Every item collected should be listed in a report for final checking and audit trail purposes.
- The compiled report will be signed and dated by an authority in the organization before being taken off premises.
- The employees or vendors involved in the transfer should be restricted to registered personnel only. In some cases, security checks may be conducted on courier staff. Unmarked vans may be part of the process and no vehicle used in the transfer of the storage devices should be left unattended or unlocked.
- On arrival at the data destruction facility, the data storage devices should be logged into the supplier’s system. This list of transported assets will be immediately sent back to the sending party as a counter-check to ensure that every item sent has been received.
- Prior to processing, equipment is held separately from that of other customers. company tags should be removed before destruction or resale.
Data Sanitization Practices
Reputable vendors will sanitize data storage devices according to a Department of Defense three-pass algorithm using only software that has been certified by authorities such as U.S. Department of Defense (DOD 5220.22-M) and the National Institute for Standards and Technology.
The actual process is used on servers (Unix and Intel-based), disc arrays, laptops, desktops and PDAs.
In situations where the disk can’t be accessed, destruction is the only possible alternative. In order to destroy the disk, it is removed and then drilled in order to destroy it. The system unit is then recycled as component spares.
On completion of data erasure, a certificate (per batch) is provided to the customer.
Printers and faxes have their memories purged using setup menus (or via a disk erasure utility, if it has a hard disk).
Mobile phones are wiped by checking for SIM cards (and returning if found) and erasing via menus.
In Southern California, Green Tree Recycling is a recognized and respected data destruction vendor. With a commitment to the absolute security of our customers confidentiality policies and years in business, you can count on Green Tree to meet your requirements.