National Property Management Association Disposing of Assets Containing Sensitive Information Kim Doner, CPPM SRA International

National Property Management Association Unfortunately, sensitive information is often left in assets by agencies or private parties that transfer, donate, or sell assets to the public. This can pose a potential risk to you and your agency. Sensitive information has a wide array of markings such as Top Secret, Secret, Classified, Sensitive, Official Use, and many other types of labels, and sometimes it’s not marked at all! The items listed below may contain sensitive information. VCR (tape) Cell Phones PDA’s Printers Hard drives USBs CD Rom’s CD Rom Drives Flash Drives Magnetic Tapes Copiers Memory sticks Typewriter Ribbons

National Property Management Association 3 Some of the material that businesses routinely throw away could be of use to a wide variety of groups including business competitors, identity thieves, criminals and terrorists. Useful information includes staff names and addresses, telephone numbers, product information, customer details, information falling under the Data Protection Act, technical specifications and chemical and biological data. (Terrorist groups are known to have shown interest in the last two areas.)

National Property Management Association 4 Particular care needs to be taken to effectively destroy digital media that may contain the personal and contact details of staff or customers and company confidential data. Digital media needs to be overwritten with random data several times to make the original data irretrievable; this should include all addressable locations and not just the file allocation table. Overwriting cannot be used for media that is damaged or otherwise not writeable; in these cases the media should be purged by degaussing with a strong magnetic field or destroyed.

National Property Management Association 5 There are several methods that may be used for destroying sensitive media; however, before investing in waste destruction equipment you should: Ensure that the equipment is up to the job. This depends on the material you wish to destroy, the quantities involved and how confidential it is. Ensure that your procedures and staff are secure. There is little point investing in expensive equipment if the people employed to use it are themselves security risks. Make the destruction of sensitive waste the responsibility of your security department rather than facilities management.

National Property Management Association 6 Contracting out the Destruction of Sensitive Media: If you use contractors, ensure that their equipment and procedures are up to the standard you require. Find out who oversees their process, what kind of equipment they have and whether the collection vehicles are double-manned, so that one operator remains with the vehicle while the other collects. Get references!

National Property Management Association 7 Methods of Destroying Sensitive Media Include: Shredding Paper shredders shred to many different sizes and the size of shred you use will depend on the type of information you are destroying. Highly confidential material should be shredded using a cross-cut shredder producing a shred size no more than 15mm x 4mm. This should ensure no more than two adjacent characters appear on any one piece of shred. Paper shredders can also be used to destroy diskettes, CDs, and similar optical media by cross-cutting or shredding. The shred size should be proportional to the confidentiality of the data, typical fragments should be no larger than 25mm.

National Property Management Association 8 Methods of Destroying Sensitive Media Include: Incineration Incineration is probably the most effective way of destroying sensitive waste, including disks and other forms of magnetic and optical media, provided a suitable incinerator is used (check with your local authority). Open fires are not reliable as material is not always destroyed and legible papers can be distributed by the updraft. Metallic-based digital media can be destroyed by melting.

National Property Management Association 9 Methods of Destroying Sensitive Media Include: Pulping This reduces waste to a fibrous state and is effective for paper and card waste only. Some pulping machines rip the paper into large pieces and turn it into a papier maché product from which it is still possible to retrieve information. This is more of a risk than it used to be because inks used by modern laser printers and photocopiers do not run when wet. There are alternative methods for erasing electronic media, such as overwriting and degaussing

National Property Management Association Asset tags (property tags) or any other identifying markings should be removed. It is highly recommend that you or your recycler ensures all property tags are removed from your equipment. This will minimize your agency’s risk of exposure from media attacks or a hacker who may attempt to compromise your agencies data.

National Property Management Association Hard drives, if properly wiped with the proper software can be reused. Instruct your IT personnel to double check computers that are going to be taken out of service. From time to time some computers host two or more hard drives. Be sure to check all drives for removable media.

National Property Management Association Ensure your agency or recycler has the capability to open CD/DVD caddies to ensure all discs have been removed. Most media that gets out into the general public comes from un- removed discs.

National Property Management Association Printers/Copiers can also host a hard drive. Often, documents of sensitive nature are left in paper trays or printer spools.

National Property Management Association Remove and destroy typewriter ribbons. Data is left on the used spool of the ribbon. Thumb drives : Re-format the drive. (Reuse) or destroy the unit when it becomes obsolete.

National Property Management Association Check VCR units to ensure no tapes are left in them.

National Property Management Association Cellular phones: Remove SIM card and destroy by crimping or cutting, (Please recycle the card) (Cellular phones are recyclable) or delete the information on the unit.

National Property Management Association Magnetic tape: Ensure your tape is degaussed or destroyed. Magnetic tape is a polyester compound (Mylar).

National Property Management Association Floppies/CD’s should be shredded or degaussed. These items are recyclable. CD disks can be recycled into new products.

National Property Management Association PDA’s should be erased (re-formatted) prior to resale or reuse or be disassembled into the state of a saleable commodity.

National Property Management Association Other items that can maintain hidden storage of data and sensitive information are micro fiche, cameras, filing cabinets, safes, and answering machine cassettes. Identity theft has become a major concern to law enforcement throughout the United States. It is the fastest growing crime, and affects more than 500,000 new victims each year. Protect yourself at work and at home by double-checking that all (media/data) is destroyed or erased.

National Property Management Association Media containing sensitive data should be clearly marked; however, when in doubt, treat all data as if it is sensitive! (Photos of media provided courtesy of FPI UNICOR)