Taking Out the Trash… Part 1.
As you are well aware, one of the favorite chores in every household is taking out the trash (cue the sarcasm font.) When it comes to the CJIS Security Policy, it takes on a whole new meaning. You can’t just do take it to the curb and drop it off, you gotta document how your gonna do it and who’s gonna do it.
I know, I know; you’re already thinking “Larry, you’re kidding, right?” Nope, I’m being serious. It’s one of the top ten write-ups by the FBI CJIS audit staff.
The CJIS Security Policy (CSP) has a section that deals with media protection – Policy Area 5.8. In it are requirements that agencies must have written policies describing the process(es) for disposal.
Additionally, you have to differentiate between two different types of media: digital (tapes, DVDs, hard drives, flash drives, etc.) and physical (typically paper).
Within CSP Section 5.8.3, you’ll find this statement – “The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media.” So here’s your sign; you need a local policy.
You can’t just say “We follow the CSP.” The good folks that come around and do audits will say that ain’t enough, you need something that describes your local process(es).
There are two situations to address in your digital disposal policy: 1) reuse by unauthorized entities, and 2) destruction.
If you’re going to give/donate the electronic media to an entity that is not authorized to access to CJI, you will need to overwrite it at least three times or fully degauss (CSP 5.8.3). For part of your policy, you could say “All digital media is completely overwritten at least three times using X” (X being the program you use.)
Additionally, the process must be accomplished or witnessed by someone who is authorized access to CJI. The easiest way would be for someone within your agency, someone who has been through the background check process and security awareness training, to do the deed.
You can outsource to a private company, but you know what that means, right? You’ll have to follow the Security Addendum Process.
Outsourcing could prove to be tricky. You would need to know the contractor’s process, where they take media for processing, who does the work, what proof do you have that the proper processes were followed. Some CSAs might not approve of out sourcing to vendors.
If you can’t or don’t want to overwrite or degauss, then it’s time for destruction. The CSP says that media has to destroyed when inoperable, and suggests “cut up, shredded, etc.” When it comes to destruction, I’m partial to the “etc.”
You small agencies are saying “Larry, we don’t have budgets for fancy disposal methods.” My reply to that is “Black and Decker with a ¼ drill bit”. Drill about four or five holes in that hard drive; that’ll do the trick.
Digital tapes can be shredded or burned. Flash drives can be completely smashed with a hammer. Some of y’all have access industrial grade incinerators; just make sure it’s destroyed, burning won’t cut it. Be creative, but ensure complete destruction.
Whatever you decide, make sure you identify how you’re going to “do it”, and that whoever is doing it is authorized (background check and security awareness training, maybe Security Addendum Certification page, if they’re a vendor.)
Your local policy needs to indicate that process is to be carried out by authorized personnel.
By the way, don’t forget the hard drives in multifunctional devices that y’all lease, i.e., BizHubs, All-in-Ones, etc. Most modern multifunctional devices have hard drives. Don’t be on the news. Pull those hard drives; make sure your contract says that you get to keep the hard drives.
We just covered digital media. Next time, I’ll talk about hard copy, known to most of world as paper.
If you have questions, give me a holler (call me.) Until then, y’all take care.
Sr. Security Analyst
850.656.3333 ext. 288