What is the value of the information stored on your computer equipment or paper documents? What would the impacts be if your personal or confidential information fell into the wrong hands (e.g. financial loss, loss of image / reputation, regulatory or legal non-compliance)?
Can you be certain that a proper destruction method was used on the information (whether in digital or paper form) to ensure that it is completely destroyed prior to disposal or withdrawal?
Can you be certain that a proper destruction method was used on the information (whether in digital or paper form) to ensure that it is completely destroyed prior to disposal or withdrawal?
Did you know that when you delete files using your operating system, they are not actually destroyed? Hence, after reinitializing the hard drive, the information can be retrieved using free tools available on the Internet? As for paper documents that are no longer useful, they may be accessible to others if they are thrown into a trash can or waste bin.
Here are some recommendations for organizations to maintain the confidentiality of paper documents or media that are no longer useful:
- Define a policy or guidelines on the secure destruction of information held on digital and paper forms (and clearly define the roles and responsibilities).
- Use an appropriate destruction method, according to the type of media, to securely eradicate data (e.g. specialized software, physical destruction, degaussing, etc.) or use a company that specializes in the physical destruction of hardware components to ensure that the information is unrecoverable.
- Develop tools to prove the traceability of the complete destruction (e.g. software destruction results, destruction certificates, etc.).
- For paper documents, use a shredder or a shredding company (e.g. Shred-it).
- Train and educate staff as well as all other resources on the guidelines and the mechanisms used.
- Conduct audits and verifications to ensure that the policy or guidelines are respected.
Attackers have realized that, in many cases, information stored on computer equipment is more valuable than the equipment itself. It is for this reason that they buy used equipment in order to recover their information and benefit from it.
For more information on these best practices, you can view the following documents :
- NIST 800-88 Guidelines for media sanitization
By Patrick Paradis, Information Security Advisor