Security Articles
Shredding Standard Article
KC ASIS - April 2005
Has the trash issue reached your desk yet? No, this is not referring to the regular "garbage" that gets passed your way on a daily basis, but the issue of document destruction. Currently there is ever increasing problems involving ID theft and the sensitivity of consumer information. Security professionals and businesses need to determine their company's process for disposing of sensitive documents. Does your company have a shredding standard that is part of an overall document retention policy and are employees trained on what to do with sensitive documents?
As you are probably aware, there are several laws regarding the security of sensitive information, which includes; the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Fair and Accurate Credit Transactions Act, just to name a few. Also California now requires companies to notify the state's residents if certain data security issues occur. A few other states have passed similar laws regarding sensitive information. There is currently a federal bill in Congress that would require persons engaged in interstate commerce, in possession of electronic data containing personal information to disclose any unauthorized acquisition of such information. What would happen to your company if it had to make an announcement that its consumer data may have been lost or obtained by illegal means?
Many of the articles regarding sensitive information deal with the security of electronic data on computers, cell phones and PDA's. There are only a few articles available relating to paper document destruction. The topic is probably not a glamorous as electronic data security, but one that can get the company in as much trouble as loosing consumer or critical computer information. Granted, more data can be lost via electronic means, but information on documents can have the same negative results to the company's reputation and bottom line. It has long been a general practice not to leave sensitive information in meeting rooms, on desks or other accessible areas. However there is little discussion on what to do with the sensitive documents once they are no longer needed. Document shredders have also been around for a long time with the assumption that any shredder was adequate in destroying sensitive material. In a recent test to determine the effectiveness of an older name brand industrial strip shredder, It took approximately 15 minutes to recreate a document that had been shredded by the strip shredder. The document was recreated by simply reaching in the shred bin and grabbing a handful of the shredded paper.
Does your company have a recycling program for paper? Do your employees know the difference between recycling paper and shredding documents? Many employees think that recycling and shredding is basically the same thing because eventually the documents are destroyed. The problem is what happens to the documents and information prior to the destruction? Some industry groups are considering not having a recycling program for paper without first shredding documents because of confusion between shredding and recycling by the end user. Has your company determined the specifications of the shredders the company uses, or the requirements of a vendor that destroys documents for the company? Are there individuals or groups within the company that have purchased their own shredders that are not adequate? Who is responsible for the audits to make sure that employees and vendors are complying with the process that the company has established? Many times the facilities or maintenance department is responsible for the shredding because it is regarded as trash. However some maintenance departments are more concerned with getting the job done rather than the security of the shredding process.
There are opportunities for physical security to add value to a business it is protecting by helping to establish and monitor a shredding standard for the company. The first thing that needs to be done is to determine how your company disposes of documents and what procedures have been established. "A recent study in Britain based on research into the trash cans of 71 commercial organizations revealed that 45% of companies threw away letterhead paper, 24% disposed of directors' signatures, 44% tossed complete invoices, and 20% discarded company bank account details - without attempting to destroy them. There is no reason to believe that companies in the US are doing much better." 1 So the probability is high that physical security will discover there is an issue with improper disposing of critical information.
If issues are found in your business, what can be done about it?
- Replace your strip shredders with cross-cut shredders [pay particular attention to the size of the cut to make sure it is acceptable].
- Determine the sheet capacity [throat capacity & throat size] of the shredders so not to waste employees' time shredding documents.
- Train employees & contractors on the proper way to destroy paper documents ... is there a policy and do they know it?
- Make the process simple and convenient for the end user so voluntary compliance with the shredding process is enhanced. Also make the document destruction process similar at each company site so not to confuse the end user.
- Work with end user groups that are high producers of confidential documents to determine what method will work best for them in disposing of sensitive documents.
- Determine if you need a third party shred service and if the vendor has the capability to shred on-site or off-site. Keep in mind that on-site shredding is considerably higher in cost.
- Determine what type of shred method the third party vendor offers; strip, cross-cut, and pierce and tear, as well as the size of the cut.
- If your company has a recycling program, make sure there is a clear distinction between a bin used for recycling and one that is for shredding. If you use a third party service for shredding they should provide the shred and recycle bins.
- Determine if the third party shredding vendor is certified with the National Association for Information Destruction (NAID) and complete a due diligence investigation on the company.
- Become familiar with the NAID Certification Program and the extent of their required audits.
- Determine how the vendor will keep the documents secure if they transport your company's documents to the vendor's shredding site.
- Determine how the "certificate of destruction" from the shredding vendor is being processed and how these records are kept.
- Complete audits and site visits of any shredding vendor used by the company to make sure they are following their established procedures under the contract.
- If shred bins are used to hold confidential documents before they are shredded by a vendor, are they clearly marked and locked?
- Are the shred bins emptied on a regular basis so that the bins remain less than 3/4 full?
- Is the opening of the shred bin small enough that an individual cannot retrieve documents from the slot where documents are inserted?
- Address the document destruction methods for telecommuters and other remote site employees.
- Ban or tightly regulate the specifications of personal shredders.
- Determine who is responsible for suspending the shredding process in case of pending litigation or government proceeding or audit.
- Help establish a shredding standard that is included in an overall document retention policy.
Physical security officers can easily audit meeting rooms, copy center rooms, trash cans, receiving docks and other areas during their security rounds after normal business hours to determine if sensitive documents are properly stored or destroyed. Shredding is an important business function that may be overlooked by your company. Physical security may be the ideal group to help monitor the integrity of the company's information.
Ed Spalding
Safety & Security Director
American Century Investments