It’s me again, y’all,
Last month, we left off with pulling hard drives out of copiers; if you missed it, go check it out. We now rejoin Section 5.8.4 of CJIS Security Policy (already in progress) to learn about destruction of physical media, AKA paper.
The policy for physical media disposal is pretty much the same as digital media, kinda. First, you need a written policy; second, you need to describe how you’re going to “do the deed”; and third, the “deed doing” has to be done or witnessed by authorized personnel.
Many entities choose shredding; it’s quick, relatively easy, and shredders of all sizes are readily available. If your agency generates a “small” amount of paper, you can get a decent shredder for under $50.
If your agency generates a lot of paper, a solitary, small shredder might not be the best solution.
Many “larger” agencies contract with shredding companies for bulk work. That’s OK, but how the process works is important. You need to make sure that the destruction process is witnessed by authorized folks.
You can’t just wheel the bin out to the curb and walk away; you have to watch it be destroyed. That process, the overseeing part, must be documented in the policy.
So, some y’all are old fashioned and you don’t shred, that’s OK too.
Fire! Good! Burning is a time honored acceptable manner for destroying physical media.
Still, you need to be careful with burning. You can’t just throw a ream of paper into a fire and walk away. In that situation, I can pretty much guarantee all of the paper won’t get consumed.
Make sure you are getting complete destruction before you walk away. You might even want to “stir it” with something; sticks are good that kind of thing.
Some agencies go to nearby facilities and use industrial incinerators for getting rid of old documents and evidence. Not a problem, again you just have to witness destruction.
As mentioned in previous newsletter, the CSP doesn’t prohibit contracting for destruction, but if you do, the Security Addendum process has to be followed.
Again, as mentioned last month, some CSAs may prohibit outsourcing destruction based on security concerns. If the company is going to pick up and take the CJI to a facility for processing, there are steps that need to be defined in the contract.
An authorized person must be with the CJI until it is destroyed, and being “authorized” is same process for vendors as it is for your agency employees with access to CJI.
If you go down that outsourcing road, I would suggest that you initially and literally walk through the entire process with the vendor to ensure every step is understood and demonstrated for CSP compliance.
I’m also suggesting that periodic “ride-alongs” with the company would be a good idea. Most auditors would probably ask “how do you know what they are doing?”
Bottomline for physical media, you gotta have a policy, it must describe the process of how you are going to destroy the CJI, and it must specify that an authorized person is going to “do it” or watch it be done.
Y’all take care.
Sr. Security Analyst
850.656.3333 ext. 288