Taking Out the Trash… Part 1.
As you are well aware, one of the favorite chores in every household is taking out the trash (cue the sarcasm font.) When it comes to the CJIS Security Policy, it takes on a whole new meaning. You can’t just do take it to the curb and drop it off, you gotta document how your gonna do it and who’s gonna do it.
I know, I know; you’re already thinking “Larry, you’re kidding, right?” Nope, I’m being serious. It’s one of the top ten write-ups by the FBI CJIS audit staff.
The CJIS Security Policy (CSP) has a section that deals with media protection – Policy Area 5.8. In it are requirements that agencies must have written policies describing the process(es) for disposal.
Additionally, you have to differentiate between two different types of media: digital (tapes, DVDs, hard drives, flash drives, etc.) and physical (typically paper).
Within CSP Section 5.8.3, you’ll find this statement – “The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media.” So here’s your sign; you need a local policy.
You can’t just say “We follow the CSP.” The good folks that come around and do audits will say that ain’t enough, you need something that describes your local process(es).
There are two situations to address in your digital disposal policy: 1) reuse by unauthorized entities, and 2) destruction.
If you’re going to give/donate the electronic media to an entity that is not authorized to access to CJI, you will need to overwrite it at least three times or fully degauss (CSP 5.8.3). For part of your policy, you could say “All digital media is completely overwritten at least three times using X” (X being the program you use.)
Additionally, the process must be accomplished or witnessed by someone who is authorized access to CJI. The easiest way would be for someone within your agency, someone who has been through the background check process and security awareness training, to do the deed.
You can outsource to a private company, but you know what that means, right? You’ll have to follow the Security Addendum Process.
Outsourcing could prove to be tricky. You would need to know the contractor’s process, where they take media for processing, who does the work, what proof do you have that the proper processes were followed. Some CSAs might not approve of out sourcing to vendors.
If you can’t or don’t want to overwrite or degauss, then it’s time for destruction. The CSP says that media has to destroyed when inoperable, and suggests “cut up, shredded, etc.” When it comes to destruction, I’m partial to the “etc.”
You small agencies are saying “Larry, we don’t have budgets for fancy disposal methods.” My reply to that is “Black and Decker with a ¼ drill bit”. Drill about four or five holes in that hard drive; that’ll do the trick.
Digital tapes can be shredded or burned. Flash drives can be completely smashed with a hammer. Some of y’all have access industrial grade incinerators; just make sure it’s destroyed, burning won’t cut it. Be creative, but ensure complete destruction.
Whatever you decide, make sure you identify how you’re going to “do it”, and that whoever is doing it is authorized (background check and security awareness training, maybe Security Addendum Certification page, if they’re a vendor.)
Your local policy needs to indicate that process is to be carried out by authorized personnel.
By the way, don’t forget the hard drives in multifunctional devices that y’all lease, i.e., BizHubs, All-in-Ones, etc. Most modern multifunctional devices have hard drives. Don’t be on the news. Pull those hard drives; make sure your contract says that you get to keep the hard drives.
We just covered digital media. Next time, I’ll talk about hard copy, known to most of world as paper.
If you have questions, give me a holler (call me.) Until then, y’all take care.
Taking Out the Trash, Part 2 or Burn, Baby Burn!
It’s me again, y’all,
Last month, we left off with pulling hard drives out of copiers; if you missed it, go check it out. We now rejoin Section 5.8.4 of CJIS Security Policy (already in progress) to learn about destruction of physical media, AKA paper.
The policy for physical media disposal is pretty much the same as digital media, kinda. First, you need a written policy; second, you need to describe how you’re going to “do the deed”; and third, the “deed doing” has to be done or witnessed by authorized personnel.
Many entities choose shredding; it’s quick, relatively easy, and shredders of all sizes are readily available. If your agency generates a “small” amount of paper, you can get a decent shredder for under $50.
If your agency generates a lot of paper, a solitary, small shredder might not be the best solution.
Many “larger” agencies contract with shredding companies for bulk work. That’s OK, but how the process works is important. You need to make sure that the destruction process is witnessed by authorized folks.
You can’t just wheel the bin out to the curb and walk away; you have to watch it be destroyed. That process, the overseeing part, must be documented in the policy.
So, some y’all are old fashioned and you don’t shred, that’s OK too.
Fire! Good! Burning is a time honored acceptable manner for destroying physical media.
Still, you need to be careful with burning. You can’t just throw a ream of paper into a fire and walk away. In that situation, I can pretty much guarantee all of the paper won’t get consumed.
Make sure you are getting complete destruction before you walk away. You might even want to “stir it” with something; sticks are good that kind of thing.
Some agencies go to nearby facilities and use industrial incinerators for getting rid of old documents and evidence. Not a problem, again you just have to witness destruction.
As mentioned in previous newsletter, the CSP doesn’t prohibit contracting for destruction, but if you do, the Security Addendum process has to be followed.
Again, as mentioned last month, some CSAs may prohibit outsourcing destruction based on security concerns. If the company is going to pick up and take the CJI to a facility for processing, there are steps that need to be defined in the contract.
An authorized person must be with the CJI until it is destroyed, and being “authorized” is same process for vendors as it is for your agency employees with access to CJI.
If you go down that outsourcing road, I would suggest that you initially and literally walk through the entire process with the vendor to ensure every step is understood and demonstrated for CSP compliance.
I’m also suggesting that periodic “ride-alongs” with the company would be a good idea. Most auditors would probably ask “how do you know what they are doing?”
Bottomline for physical media, you gotta have a policy, it must describe the process of how you are going to destroy the CJI, and it must specify that an authorized person is going to “do it” or watch it be done.
Y’all take care.