1. Responsible Hard-Drive Destruction – Let’s Get Real
Just one hard drive can contain hundreds of thousands of files. When a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of all online activity. Even reformatting or overwriting may not be enough to prevent confidential/proprietary/sensitive data from being recovered by a determined individual using the right techniques and equipment. To avoid identity theft data destruction is very important.
In light of the above, I favor a “belt & suspenders” approach — two proven methods of data destruction for absolute certainty. But there is more to information security than choosing the right destruction equipment. What you do with old drives prior to destruction is just as important. Keep them in a secure location prior to destruction, or they could be long gone before you even know they are missing. And keep records!
For any facility, I strongly recommend instituting a comprehensive information-security program — written procedures that must be followed. Such procedures should include detailed record keeping and labeling that states, for example, the serial number of each drive, the computer from which it was removed, and the date it was removed. The program should also include careful documentation of destruction dates and methods and a plan for in-house monitoring/verification. You never know when these records will come in handy.
Proper training is a must. These procedures should only be carried out by trusted employees or security service and supervised by management. By the way, if you have a written policy that calls for the destruction of records on a regular schedule, it looks less arbitrary and suspicious if documents are missing when requested in the course of litigation or an audit.
Businesses that don’t yet have a comprehensive information security program can take a cue from federal regulations that require some facilities to have one in place, such as the rules implementing the Fair and Accurate Credit Transaction Act (FACTA). In order to minimize fraud and identity theft, FACTA’s far-ranging standards require lenders, insurers, and many other businesses — anyone who “maintains or otherwise possesses consumer information for a business purpose” — to properly destroy consumer information. Likewise, hospitals and other healthcare entities must comply with privacy and security standards promulgated under the Health Insurance Portability and Accountability Act (HIPAA). Similar requirements may be found in the Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection) Act and the Gramm-Leach-Bliley (Financial Services Modernization) Act. Further, the credit card industry is required by the Payment Card Industry Data Security Standard (PCI DSS), international protocols issued by a credit-card-industry council, to take proper security measures with a customer and corporate proprietary information.
Tools of the Trade
When is a hard drive really destroyed enough to prevent recovery of information it once held? That is debatable. Let’s take a look at some choices for the safe removal of data:
- Overwriting the drive. “Disk-wiping” software is used to replace stored data with a pattern of meaningless characters. I felt obligated to mention this method, but I do so with reservations. There are many versions of such software on the market, so it is important that the chosen version be compatible with the drive to be overwritten. U.S. Department of Defense guidelines recommend this step for operable drives bound for disposal, prior to degaussing and/or data destruction. But one overwriting “pass” is not enough, and this method must be carried out by someone who is patient and careful and understands the process, as it is time-consuming and based on the age and size of the drive.
- Degaussing. Degaussing is one of those words that evoke images of a mad scientist and large static discharges in the laboratory. Degaussing is simply the elimination of a magnetic field. There are two major methods of degaussing. The first method permanently erases data from hard drives when they are passed through the magnetic fields of powerful, fixed, rare-earth magnets. The second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic field to permanently erase data from disks in an enclosed chamber. One should note that because there are variations in the formats and magnetic densities of hard-drives and in the methods by which they store information (latitudinal or perpendicular), the degaussing device must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic field and completely erase its stored information. If it doesn’t, the whole process is a waste of time. The NSA/CSS evaluates degaussers and has published a list of approved devices for the erasure of sensitive or classified magnetic storage devices. The list rates each degausser model on the basis of which types of drives and other magnetic media it is strong enough to erase. Careful and informed buyers tend to rely on it for guidance. Degaussing is more effective than overwriting, but here, too, training is essential. Once you purchase a degausser, be sure to follow the directions.An NSA Evaluated degausser that can completely erase hard drives with no chance of data recovery.
- Crushing. This method destroys drives by subjecting them to extreme pressure from a conical steel punch or similar device. Good for a low volume of drives, these relatively inexpensive units are available in manual and powered models. I put this method in line with basic destruction methods. At the least, deforming the drive enough to render it inoperable is better than doing nothing. Unlike after degaussing, the information residing on a deformed hard drive is still intact, but it is much more difficult to retrieve.An automatic Sledgehammer hard drive crusher with a conical punch to pierce drive casings and platters.
- Shredding. Hard-drive shredders literally rip drives to shreds. The shredding process is much the same as in an ordinary paper shredder, but these machines are more robust and capable of destroying multiple types and sizes of drives. These shredders are also good for destroying cell phones, PDAs, electronic organizers, and other data storage devices. Several models are available, the largest of which can destroy up to 2,500 drives per hour. Again, as with crushers, the information residing on the hard drive platter is still there, but since the drives are shredded into several randomly sized strips, it is even more difficult to retrieve.
A Jackhammer hard drive shredder, capable of destroying up to 2,500 hard drives per hour.Hard disk drives and other electronic devices end up as co-mingled “e-scrap,” most of which can be recycled. Powerful shredders reduce metal to random strips. - Disintegration. “Mechanical incineration” by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable and unreconstructible. For hard drives and other metal, this is typically done after shredding. Disintegration is similar to shredding, although the end particles are much smaller and more damaged. Disintegrators are also available in several models able to handle various sizes and volumes of hard drives. The upkeep for a disintegrator is significantly greater than that for a shredder, and is, therefore, an important consideration when choosing between the two.
While all of these methods are effective, I favor a two-stage approach that combines degaussing with crushing or shredding. For the ultimate, choose degaussing, followed by shredding, followed by disintegration, but this is for those who are really paranoid.
Ideally, the decision to purchase destruction equipment and the implementation of a destruction program would be based on security needs, not on cost. But in a practical world, there are budgets to be met. Degaussers, shredders, and disintegrators all come in different sizes and capacities. While some of these units are relatively inexpensive ($1,000 to $5,000), others could run as high as $50,000.
The Outsourcing Option
For some businesses, the peace of mind that comes from knowing sensitive records will never leave their facilities intact makes the investment in data destruction equipment worthwhile. Even so, many companies simply cannot afford to purchase this equipment for the relatively few items they need to destroy. These businesses may choose to outsource such data destruction. Aside from budgetary considerations, if you rarely need to purge your files, only destroy 10 hard drives a year, or would simply rather not destroy sensitive materials on your own premises, by all means, find a reputable destruction service. An advantage to outsourcing is that your waste eventually gets mixed with the waste of others, which makes your data even harder to retrieve.
Outsourcing can be affordable and safe when done properly, but if you choose this option, be sure to do your homework thoroughly. Evaluate a service provider and its security protocols before signing the contract. Here are some questions to ask:
- If the service will pick up your hard drives, how will it transport them to the destruction facility? Does the service offer locked, trackable transport cases with tamper-proof security tags?
- Does the service require a long-term contract or a monthly minimum?
- Upon arrival at the facility, will your items be inventoried by serial number (or barcodes correlated with serial numbers) and stored in a locked, monitored area? How long are they likely to remain there awaiting destruction?
- Are job applicants thoroughly screened? Is the facility monitored around the clock by security cameras?
- What destruction methods will be used? Degaussers? Shredders? Disintegrators?
- Has the facility’s equipment been evaluated by the NSA/CSS?
- What proof will you have that items were actually destroyed? Would you be allowed to watch the destruction in person or on video?
- Will the destruction of your items be logged and certified in writing?
- What happens to the destroyed waste? Is it recycled in accordance with pertinent regulations?
- Is the facility bonded and insured, and to what limits?
If you don’t like the answer to any of these questions, look for another service. Like all service providers, some are better than others and some offer more robust security assurances. I personally prefer more security over less. You also need to understand that security comes at a cost. Many destruction companies are nothing more than recycling companies posing as secure-destruction experts. If the service you are considering passes all the above tests, visit the facility in person. Even if you like what you see there and end up giving the company your business, it is a good idea to pop in from time to time for a surprise inspection.
And please note that a certificate of destruction does not free you from your legal responsibility. If a destruction contractor certifies that your confidential data was destroyed, yet the data surfaces somehow, you are still liable for damages suffered by the injured parties.
Article source: semshred.com
2. Frequently Asked Questions About Mobile Shredding And Hard Drive Destruction
The information that you and your employees store on your business computers is highly sensitive and personal. To ensure that this information is kept private, contact a professional company that specializes in hard drive destruction. Read the frequently asked questions below to learn more about hiring a shredding service to destroy the information on your business computers.
Q.) What types of items does a data destruction company destroy and how does the process work?
A.) A professional shredding company specializes in destroying documents, hard drives, cell phones, credit cards, compact discs and more. The shredding company places locked bins at your location. Your employees will place the items that need to be shredded inside the bins. On a specified date, the shredding company will arrive at your location in a mobile shredder, collect the bins and shred the materials on-site.
Q.) Is using a mobile shredding company safe and effective for shredding important documents and hard drives?
A.) Hiring a mobile shredding company is very safe because your sensitive materials won’t have to be transported to another location. You’ll be able to watch the shredding company employees place your sensitive materials into the mobile shredding unit. You’ll have the ability to view the shredding of your documents and hard drives on a video monitor so you’ll know for sure that your important business information is gone forever.
Q.) Why is it better to shred a hard drive instead of having the information erased?
A.) It’s often possible for the information on an erased hard drive to be retrieved. When you hire a company that specializes in hard drive destruction, your hard drive is totally destroyed and the information can never be recovered by anyone. Since the mobile shredding unit slices the hard drive into small pieces, the private information that was stored on your business computer is safe.
Article source: go-articles.com
3. On-Site vs Off-Site Hard Drive Shredding
Immediate Destruction. With on-site hard drive destruction, all of your data is completely destroyed within minutes of entering the secured truck. The only thing leaving your location is small, tiny fragments of what was once your data-containing media.
Transparency. Often times, vendors will let you see the hard drive shredding process in action and watch as your discs or drives are put through the industrial shredder on the truck, providing complete transparency.
Simplicity. With mobile, on-site hard drive shredding, media is taken directly from your security cart or storage bin and shredded before leaving your location. This makes the process as simple as possible, eliminating any doubt of what happens after devices leave your property.
Offsite Shredding
With plant-based or off-site hard drive shredding, the vendor will arrive at your location, pick up your devices or security carts, haul them to their processing facility, and perform the shredding services behind locked doors.
Benefits of offsite shredding service:
Imminent Destruction. With offsite or plant-based shredding, devices and hard drives are collected from your location, then transported to the vendor’s secure facility where each device is shredded with an industrial shredder. Often times video of the shred process is available upon request for more transparency.
Affordable. As with any service, onsite shredding does have a fee. For companies on more of a budget, offsite shredding may be the more affordable option if media is not required to be destroyed before leaving your property.
Chain of Custody. When off-site shredding services are performed, the vendor should provide a complete chain of custody documents including the transfer of ownership paperwork, serial number reports of each drive that was shredded, and certificates of destruction verifying everything was destroyed in accordance with data security legislation and shredding standards.
Certified Data Destruction
Whichever option you choose, make sure you’re using a reputable, certified vendor to guarantee shredding is done in accordance with current security standards (NIST SP 800-88r1). As the only e-Stewards and R2 certified provider in the area, SEAM guarantees compliance with privacy regulations including HIPAA, FISMA, FACTA, and GLBA.
No matter the shredding service selected, customers always receive a Certificate of Destruction verifying the data has been destroyed along with a serial number report. All reports are made available 24/7 on the customer portal for easy access if you’re ever audited.
Article source: seamservices.com