IDShred65 addresses growing need for efficient and effective destruction of cards and dog tags that contain personally identifiable information (PII)
Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the IDShred65 ID and dog tag shredder. This device is specifically designed for the destruction of plastic and metal credit cards, dog tags, and ID cards such as CAC IDs and driver’s licenses.
“The IDShred65 was created to address a growing need to destroy cards and dog tags in both the commercial and federal markets,” said Nicholas Cakounes, SEM Executive Vice President. “Unlike competitor models, SEM’s IDShred65 easily destroys the heavier, thicker credit cards of today including metal cards.”
The all new IDShred65 is enclosed in a compact metal cabinet mounted on casters for portability and ease of use in office environments. It also boasts a rugged, all steel cutting head that is specifically designed for the efficient destruction of thick metal cards and tags. Designed with operator ease of use in mind, the IDShred65 has a customized feed slot for cards and tags, a modern, sleek design, and plugs into a standard 120V outlet. It also comes standard with integrated safety and convenience features including an LED control panel with auto start/stop and reverse and bag full and door open indicators. In addition, the IDShred65 is an eco-friendly product, featuring an Energy Savings Mode that shuts off power when not in use and operating without the use of oil.
“We are thrilled to offer the IDShred65 to satisfy the rapidly growing need for on prem destruction of dog tags and cards, both metal and plastic,” added Bryan Cunic, SEM Director of Customer Care. “SEM has long been an innovator of high security information destruction technology and the new IDShred65 continues that tradition of excellence.”
The IDShred65 has a list price of $5,999 and is TAA compliant. For more information, click here.
Security Engineered Machinery is in need of a hands on skilled Field Service Technician who can work in a fast paced and varied environment. SEM is a leader in providing, installing, and servicing shredders, rotary knife mills, and other destruction equipment used for destroying paper and electronic media. Visit SEM website at semshred.com for company product and information.
Responsibilities and Duties
Install, service,maintain light and heavy duty industrial equipment
Troubleshoot and repair industrial equipment
Assemble and erect ductwork and other ancillary items to support industrial equipment
Assemble and recondition industrial equipment
Read mechanical and electrical drawings
Communicate verbally and written to customers, all internal levels
Write service reports
Other duties as assigned
MINIMUM 50% travel both domestic and international
Qualifications and Skills
Strong electromechanical background with good mechanical skills
Service experience and or manufacturing experience, minimum of 2 years
Responsiveness to customers’ needs and ability to problem solve at a technical level
Ability to work independently and multi-task with attention to detail
Current driver license and safe driver record
Technical education or higher
Computer skills and basic math skills
Strong communication and interpersonal skills
Security Clearance and valid Passport a plus
Must be a US Citizen
SEM offers an exciting participatory environment, competitive compensation, attractive benefits including medical, dental, 401K, paid time off, profit sharing, and personal growth opportunities.
Security Engineered Machinery Co., Inc. (SEM), a growing manufacturing and distribution company specializing in information security and destruction and headquartered in Westborough, MA, has an exciting opportunity for a Customer Care Representative.
Responsibilities and Duties
Handles inbound sales and customer service calls relating to products and service
Provides support for regional sales reps and channel management
Provides low level technical support tocustomers
Generates outbound cal Is for new business
Maintains knowledge of products, service, and competition
Schedules service, preventative maintenance, and installation calls
Enters and processes orders
Responds to quote requests
Follows up on quotes
Follows up on equipment warranty issues
Maintains customer database
Other duties as assigned
Qualifications and Skills
Must be motivated self-starter with strong attention to detail
Associates Degree or equivalent experience
1-3 years customer service experience and/or sales experience
Ability to work independently andmulti-task with attention to detail
Proficient computer skills (MSOffice: Word, Outlook, and Excel)
Experience working with a CRM system – NetSuite preferred
Strong communication and interpersonal skills
SEM offers an exciting participatory environment, competitive compensation, attractive benefits including medical, dental, 401K, paid time off, profit sharing, and personal growth opportunities.
Take data centers. If you operate such a business, you likely have stringent rules in place for securing the data you house on behalf of your clients. But, do you also follow the data regulations and privacy policies set forth by your clients? If your answer is no and your clientele is covered under the GLBA, you’ll need to revisit your information security plan immediately to incorporate GLBA compliance.
What is GLBA?
The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.
Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. The reason is that these organizations are significantly involved in providing financial products and services and therefore have access to personally identifiable information (PII) and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.
GLBA Compliance: Applicable to More than Just GLBA-Covered Businesses
In accordance with GLBA, organizations covered under this Rule must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.
At this point, you may be asking yourself, “How does this affect my business as a data center?”
The data safeguard rules also apply to any third-party affiliates and service providers employed by the companies covered under GLBA. As such, it is the responsibility of the GLBA-covered company to ensure the same steps are taken by the affiliate third-party to protect the data they interact with or store on behalf of the company. This means companies under GLBA are going to select third-party service providers like yours based on those companies that are also set up operationally with the same steps and policies in place to safeguard sensitive data. Furthermore, organizations under GLBA have the authority to manage the way in which their service provider handles their customer information to ensure compliance with GLBA.
Cloud-based data centers therefore must comply with GLBA rules for security policies and enforcement or risk losing business from those organizations and other potential clients that are covered under GLBA. As the data center operator, you could go about this in one of three ways: 1) Create separate GLBA-compliant policies for each client organization based on their needs, 2) Allow each client organization to delineate the GLBA-compliant policies they’d like your business to follow and adopt those accordingly, or 3) Establish one set of GLBA-compliant policies that cover all aspects of data protection and privacy that can work for all client organizations and potential new business.
GLBA and Data Destruction
Just as there are plans and personnel in place to oversee the safeguarding of data while it’s in use, under the GLBA there must be a plan and personnel in place to oversee data destruction when the data has reached its end-of-life. These policies and plans for the proper disposal of secured data should be incorporated into the organization’s information security plan and should be regularly evaluated for risk as well. While this is a straightforward task for the GLBA-covered company, developing and enforcing GLBA-compliant data destruction policies for a third-party affiliate or service provider like a data center is a different story entirely.
Not only do you need to create a set of protocols around data and drive destruction for your data center, you need to be able to prove to your client organization that you can properly dispose of the drives the data is housed on as well as the data itself. This is because both data and drive disposal must be achieved so that neither the data nor the drive can be recovered or otherwise reconstructed after destruction. Since your data center already provides remote access to the information you store, it’s recommended that you purchase and maintain data destruction machinery at your center. This way, you also control where that sensitive information is handled during the data destruction event.
One of the simplest ways to ensure compliance during data destruction events is to work with the GLBA-covered organization to assign certain personnel to that task within your data center. For instance, assigned personnel within your company as well as the client company’s GLBA task force would be required to be on-site during data destruction events. Both parties would be responsible for enforcing data destruction at the data center, including the documentation of every data destruction event, to ensure compliance and alleviate liability in the event of a breach.
Security Engineered Machinery is the global leader in high security information end-of-life solutions including paper and IT shredders, crushers, disintegrators, and degaussers.
All US-based organizations and agencies, whether public or private, must comply with certain information security measures when it comes to data storage and disposal. For government agencies and affiliated organizations, information security is paramount because of the sensitive nature of the information housed within these parties. To ensure the protection of proprietary United States data, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002.
Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.
In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.
FISMA: Who It Affects and Why It’s Important
The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.
FISMA, FISMAFailure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for your organization and a cut to your IT budget, as well as significant administrative ramifications to your organization. However, failure to comply with FISMA, especially when it comes breach-avoidance and proper data destruction, can have much grander and more catastrophic implications for you and your organization. Should any of your private, secured federal data be compromised and your organization was found to be noncompliant, there are serious civil and criminal federal consequences.
How to Comply with FISMA
C-suite executives like chief information officers, information security officers, senior agency officials, and agency program officials are all responsible and held accountable for ensuring compliance of FISMA within their respective organization.
As stated in FISMA, these federal or otherwise federally-affiliated organizations must develop, implement, and accurately manage an information security program to safeguard the IT systems and any ensuing data that is collected stored, and transferred. This includes documentation of both the security systems and access granted to stored federal information.
The National Institute of Standards and Technology (NIST) outlines steps that these individuals should take to comply with FISMA:
Track and categorize all information and media devices that must be protected.
Set baseline security controls. Implement and document their use in the appropriate security system.
Regularly refine these controls using a defined risk-assessment procedure as part of an annual review process.
Authorize the IT system for processing within the selected group of authorized personnel and monitor the systems on a regular basis.
When it comes to the disposal of this federally-protected private data, FIPS also states that the organization must develop and enforce a set of policies for how the data and media should be destroyed, and accurately document every data disposal event, most easily accomplished by using an audit-friendly media tracking system such as SEM’s iWitness. It’s recommended to purchase on-site data destruction machinery and limit access to the data and the data destruction machinery to a small group of authorized personnel.
It seems like we can’t go a week without hearing about a data breach or a situation in which personal data has been compromised. Unfortunately, cybercriminals are becoming more sophisticated in their antics and there is very little we can do to stop cyber attacks from happening.
We can, however, arm ourselves against hackers and identity thieves by first understanding the main ways in which our personal data can be compromised. Then, we can take necessary steps to safeguard our personal data and prevent criminals from accessing our private information.
Understanding How our Personal Data Gets Compromised
The fact of the matter is that there are many ways in which our personal data can become compromised. Yet, they all seem to boil down to five main reasons, some of which are under our control and some are not.
The Top 5 Ways Personal Data is Compromised:
1. Organizational Data Breach: In order to do business with us, organizations often require our personal information. From financial institutions and credit bureaus to medical groups, email and social media platforms, subscription-based platforms and data-storage cloud companies…the list goes on. We trust that the organization follows its outlined security protocols to keep our private information, private. When that organization fails to deliver on its security measures, as we’ve collectively witnessed with the recent onslaught of big-data and cloud-system security breaches, our personal information is subject to unauthorized access and theft. Be sure you trust the organization and understand its data management policies and procedures for how your personal data will be used, stored, secured and destroyed before sharing personal information.
2. Unsecured Internet Connection: Even though it’s enticing to stop in to your local coffee shop or public library to work remotely from your laptop or portable device, you should always check the security of the internet connection you’re about to use, first. Public or otherwise unsecured connections are the most susceptible to cyber-criminal activity; using an unsecured internet connection is like inviting the hackers to your doorstep. In short, if the internet connection can be accessed without a password, don’t connect to it.
3. Unsecured Device: The same can be said for any device you use to access the internet. From smartphones to laptops and tablets and now smart home devices like Amazon Echo and Google Home; these devices hold troves of our personal and private data. Maintaining updated security software, firewalls and installing extra security like a two-way authenticator are imperative to ensuring your device is protected from outside penetration. Password strength also falls under device security. Passwords should never be the same, should include characters and numbers as well as letters and should never be something easily guessed about yourself. Even if you are using a secured internet connection, the lack of security or lack of updated security for your device is just another invitation for having your data stolen.
4. Responding to a Scam: Scams are designed to look, read and feel as authentic a communication as possible. Email phishing, ‘robo’ calls and social engineering tactics like personality quizzes are just a few examples of the ever-growing scams hackers and cyber criminals have developed to steal your personal data—right from the horse’s mouth. We often (mistakenly) place our trust blindly into communication efforts like email, phone and social media because those are places we communicate with people and brands we do trust. Always be vigilant of the type of organization and the way in which they communicate with you before you answer. (The IRS, for instance, will never email you or call you for personal information.)
5. Data Storage and Disposal at Home: Probably one of the most overlooked ways in which our personal data can be compromised is how we manage our data at home. Do you have a safe, secure, and designated location at home for all your personal and private documents? (You should.) And, what do you do with sensitive information that you no longer need, like an expired credit card or an old bank statement? If your answer is to cut it up and throw it out, you’re putting your personal data at risk. This also holds true of old devices you want to get rid of. Consider the personal information amassed on the hard drives of your old laptop, tablet, smartphone or other data-storing device. If you don’t properly destroy the hard drive, the data can still be reconstructed and accessed long after you’ve disposed of the device (say, if you turned it over to a buy-back program or, worse, threw it in the trash for a dumpster-diver to find).
Proper Data Destruction and Disposal
While there’s little you can personally do to protect your information from a data breach at an organization, ensuring that the companies with whom you do business have a comprehensive data security and destruction policy is a good first step. There are also ways for you to better control your own data security. Taking steps like assessing your internet connections and device security and thinking before you respond to any digital or telephoned communication can greatly help you ensure your private data stays secure and remains uncompromised.
When it comes to home security measures and data disposal, we recommend you maintain a specific and private place for anything that contains your personal information, and that you bring end-of-life devices to a local data destruction day, often held at universities in the spring. Of course, if you are in the area, you are always welcome to bring your device to SEM for physical destruction. As a final note, if your personal data has been compromised and you’ve become a victim of identity theft, you should report the identity theft incident to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338.
Secure data destruction device manufacturer supplies CUI line of paper shredders to provide compliance solutions for Executive Branch agencies and their affiliates to meet ISOO’s new CUI directive
Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to offer a complete line of high security paper shredders that meet requirements of the new Controlled Unclassified Information (CUI) Program instituted by the National Archives and Records Administration (NARA) and the Information Security Oversight Office (ISOO). The Program, which affects all Executive Branch agencies within the Federal Government as well as their affiliates that may handle CUI, mandates that paper containing CUI be destroyed to a 1mmx5mm particle, which is the same particle size as required by the National Security Agency (NSA) for classified and top secret information.
“We have been in frequent contact with NARA and ISOO, including presenting at their first CUI Industry Day held at the National Archives in Washington DC,” stated Todd Busic, Vice President of Security and Intelligence Operations at SEM. “As a result of our communication with these organizations and our commitment to the new directive, SEM has pledged to educate government agencies on the paper destruction requirement of the new CUI Program, which is quite different than what was once accepted as standard.”
“SEM has long been an industry leader in providing solutions on the cutting edge of new technology and on educating entities on new and updated data security regulations,” added Andrew Kelleher, President of SEM. “As a solutions provider to the Federal Government, we are fully committed to assisting NARA and ISOO in educating Executive Branch agencies on the new CUI directive and how best to achieve compliance.”
All unclassified information throughout the Executive Branch that requires any safeguarding or dissemination control is characterized as CUI and includes nearly all government agencies. Further, unclassified data such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Personally Identifiable Information (PII), as well as information relating to critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation all fall under this requirement.
Executive Order 13556 “Controlled Unclassified Information” created a program for standardizing the management of CUI across the Executive branch and designated the National Archives and Records Administration (NARA) as Executive Agent. As such, NARA is responsible for the implementation of the CUI program as well as agency oversight to ensure compliance. The Archivist of the United States in turn delegated these responsibilities to the Information Security Oversight Office (ISOO), which issued 32 CFR Part 2002 “Controlled Unclassified Information” to establish a comprehensive policy for managing all aspects of CUI, including disposal and other program-specific requirements.
The rule affects not only all federal Executive Branch agencies that handle CUI but also all other organizations that in any way interact with CUI or have access to federal information on behalf of an agency. Therefore, these agencies must implement safeguarding or dissemination controls that are consistent with the CUI Program for any and all unclassified information. Prior to the CUI Program, agencies typically utilized agency-specific policies and procedures, of which there were many, resulting in inconsistently managed CUI.
The ISOO CUI directive has very clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. For paper, the NIST 800-88 destruction specification is the same as NSA requirements for classified information: a 1mmx5mm final particle size. Therefore, all CUI paper must be destroyed using a high security shredder that produces a final particle size of 1mmx5mm or less, such as those listed on the NSA/CSS 02-01 EPL for classified paper destruction. All of SEM’s high security shredders meet the new CUI mandate.
In an effort to provide clear communication and simplified purchasing for Federal Government agencies, all of SEM’s compliant paper shredders are now marked as being appropriate for CUI destruction. For more information, visit www.semshred.com/CUI.
With GDPR (General Data Protection Regulation) in effect for almost a year now, even US-based companies are feeling its impact and the need to comply with stricter data security policies. Indeed, it likely won’t be long before the US creates its own set of national data privacy laws that all organizations will have to follow. In 2018, leading US-based technology companies called on the federal government to pass a law similar to GDPR, and in February of this year, the US Government Accountability Office made the same recommendation.
For those organizations that do business internationally, the European security mandate must be adhered to as if it were already a rule from the US federal government. If you don’t, the cost could be catastrophic.
The Criticality of Following GDPR
Not complying means subjecting your organization to a fine equaling two to four percent of your global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million). But, it’s not enough to simply ensure your current privacy policies comply with GDPR. Breaches happen to even those US organizations whose existing practices meet those compliance requirements.
You should instead look at the bigger picture and take a thoughtful approach to your data security measures using GDPR as your guide. For one, the GDPR looks at data differently and poses that all private data is owned by the customer, not the business in which it was collected. For another, just because you’ve protected the data from breaches from within the US doesn’t mean the data from your global company couldn’t be improperly accessed outside the country.
Using GDPR to improve all your data-related policies can help you to find any gaps in your current security that could be closed, especially as it relates to data destruction and hard drive end-of-life practices. By putting the customer first over your business, as GDPR stipulates, you can better ensure the protection of personal and otherwise private information when it is no longer necessary to your business.
Think about your customer data and how it is stored. If you’re using a cloud system (as almost all of us are), your data isn’t just housed in one data center, but many, and that data is duplicated across multiple drives to prevent against data loss if a drive fails. For businesses operating outside the US, that means data centers housing this private information you are charged with protecting are not just within the US, but across the globe. Your data destruction policies therefore must address practices for drive end-of-life—something that happens on a regular basis since these drives operate for 24 hours a day, seven days a week, all year long.
Even if you don’t house your data across global centers, but you do business with EU customers who share their private information with your company, your business still has access to their data and therefore you must protect it, even upon disposal. More importantly, under the GDPR, any EU citizen has the right to request their information be eradicated and you must comply and delete the data while maintaining protection even after disposal.
So, how do you ensure your data disposal policies comply with GDPR for drives as well as for customers halfway across the world?
GDPR-Compliant Data and Drive Destruction Best Practices
GDPR requires your organization to place someone within the company in charge of overseeing and managing the compliance policies. Dubbed the Data Protection Officer, this person will be your key authority on data disposal and drive destruction as it relates to the GDPR. Along with this person, you’ll want to create a small group of personnel also within the US that will have the authority to access your company’s data.
At the very least, your Data Protection Officer should be on-site for drive destruction that occurs outside the US, such as if a drive in one of the data centers where your data is housed reaches end-of-life. It is crucial to have this person on-site to ensure your GDPR-compliant data and drive destruction policies are being followed. For one, this ensures control over who is accessing your data. For another, without this person present, you are blindly trusting that your data and drives have been properly disposed of, and that the person carrying out the disposal is not lying to you when they tell you the proper practices have been completed. What if this person, who reported to you that the data was properly destroyed, instead sold that data to a third party in another country or to a cybercriminal on the dark web? Sure, you can take legal action against this person after the breach has come to light. But the fallout from the breach itself can’t be stopped once it’s begun.
It’s therefore extremely important to require your Data Protection Officer or someone within your authorized personnel group to be on-site for outside-US data and drive destruction, and that this person must provide an audit report for the data and drive destruction event.
For drive destruction within the US, your Data Protection Officer and authorized personnel should manage the disposal process from start to finish. It’s recommended that you create a private space within your organization to house a data and/or drive destruction machine, rather than work with a third party off-site. We have data destruction machinery that is compliant with GDPR stipulations. It may also behoove your organization to keep a record audit of the disposal to prove your company’s compliance to GDPR in the event a breach does occur.
Weighing the True Costs of Data Breaches
We already mentioned the massive fine that will be issued by the GDPR Supervisory Authorities for an organization under GDPR that is found to be noncompliant when the breach occurs. Then there’s the typical range of costs associated with data breaches including legal fees for any counselling or action taken by the company in its defense, civil and criminal penalties under US federal regulations and, of course, potential lawsuit payouts. Factor in the non-financial costs to your business, such as a loss to your reputation and integrity, along with a loss in your customer base, and you’re looking at a total cost to your organization that could severely impact its existence.
The irony is that by planning for the worst and investing in a team as well as the necessary on-site data destruction machinery, you can save your company’s standing as well as its revenue. Operating under GDPR rules includes making sure your company has the proper data and drive disposal methods that are deemed GDPR-compliant. SEM has plenty of affordable options, and when all things are considered in the aftermath of a breach, this technology provides protection at a fraction of the price it would cost if you were to experience a breach.
SEM is looking for an experienced Mechanical Engineer to work in our engineering department. The successful candidate will be responsible for the overall product design, scheduling and time management of the project including external consultants and suppliers, testing and full implementation into production. This candidate’s focus will primarily be mechanical design, but they will need to specify and integrate electrical components into designs and also interact with and manage electrical design consultants. A good working knowledge of electrical systems and components is strongly desired. The position will also include other tasks when required. These may include the following: supporting production; supporting and troubleshooting products returned for repair; creating product documentation for new products; certification of products; etc.
Bachelor’s Degree in Mechanical Engineering or equivalent degree/experience.
3 to 5 years experience in designing electro-mechanical devices or equipment.
Proficiency in 3D CAD modeling. SolidWorks is strongly preferred.
Must have some electrical experience, preferably with single and 3-phase AC and DC power systems. Some knowledge of PLC and microcontroller based systems, a plus.
Ability to read electrical schematics on both system level and PCB level.
Must have good knowledge of machining and a full comprehension of mechanical drawings.Machining experience, a plus.
Must possess strong writing, communication, analytical skills and attention to detail.
Strong mechanical aptitude and conceptualization skills, strongly preferred.
Must be able to work both independently and with vendors, consultants and other departments.
Must possess good computer skills and proficiency in MSWord, Excel, and Power Point.
SEM is a world leader in providing information destruction equipment to the US Government and Data Centers world-wide.
SEM offers a team oriented business casual work environment, with benefits including medical, dental, 401K, profit sharing and paid time off. Please send your cover letter with salary requirements and resume to email@example.com.
Under a Microscope: Dissecting the Implications of DIN 66399
Covering everything from safeguards for children’s toys to design requirements for roller sports equipment, DIN Security Standards are also used to help define and standardize the different levels of security for international physical data destruction. Originating in Europe, these standards are continually making headway toward global acceptance as a benchmark to set the size and type of data that needs to be destroyed appropriately.
DIN 66399 specifically addresses standards for the destruction of data devices. This particular standard—which replaced DIN 32757—features over 40 variations based on protection classes, material/media and security levels. These three broad criteria are intended to drive the data device destruction process, guiding users so they can make informed end-of-life data disposal decisions.
Companies or government entities must begin the destruction process by first determining what type of data needs to be destroyed. DIN 66399 has three protection classes that help you define the requirements and classification for your data:
Class 1: Normal Protection: Sensitivity for internal data that’s accessible by fairly large groups of people. Unauthorized information disclosure or transfer at this level could have negative effects on a company or make individuals vulnerable to identity theft and besmirching of reputation.
Class 2: Higher Protection: Sensitivity for confidential data that’s restricted to a small group of employees. Unauthorized information disclosure or transfer at Class 2 would have serious effects on a company and could lead to violation of laws or contractual obligations. Disclosure of personal data runs the risk of serious damage to an individual’s social standing or financial situation.
Class 3: Very High Protection: Sensitivity for confidential and top-secret data that’s restricted to an extremely small group of named individuals. Any information disclosure here would pose catastrophic, existential threats to a company/government entity and/or lead to violation of trade secrets, contracts and laws. Disclosure of personal data runs the risk of jeopardizing an individual’s personal freedom, safety, or life.
Material/Media Classification and Security Levels
Having determined the applicable protection class, you should subsequently consult DIN-66399 to classify the material on which your data resides and identify the corresponding security level. Per DIN standards, this data destruction security level will dictate the appropriate final shredding size for your media or paper documents.
DIN 66399 requirements by data device material are as follows:
Film: DIN 66399 Material Classification F refers to information in miniaturized form (e.g., microfilm), with security levels running (lowest to highest) from F-1 to F-7. For example, F-1 stipulates a maximum material particle size of 160 mm2, while F-7 stipulates a corresponding size of 0.2 mm2.
Optical Media: DIN 66399 Material Classification O pertains to information on optical data carriers (e.g., CDs/DVDs). Security levels run from O-1 (max 2,000 mm2) to O-7 (max 0.2 mm2).
Magnetic Media: DIN 66399 Material Classification T pertains to information on magnetic data carriers (e.g., ID-cards, floppy disks and diskettes). Security levels run from T-1 (media must be rendered mechanically inoperable) to T-7 (max 2.5 mm2).
Hard Drives: DIN 66399 Material Classification H pertains to information on hard drives with magnetic data carriers. Security levels run from H-1 (media must be rendered mechanically/electrically inoperable) to H-7 (max 5 mm2).
Electronic Media: DIN 66399 Material Classification E pertains to information on electronic data carriers (e.g., chip cards and memory sticks/flash drives). Security levels run from E-1 (media must be rendered mechanically/electrically inoperable) to E-7 (max 0.5 mm2).
Paper: DIN 66399 Material Classification P pertains to information presentation in original size (e.g., paper, films and printing plates). Security levels run from P-1 (max strip width of 12 mm or max particle surface area of 2,000 mm²) to P-7 (1 mm x 5 mm).
The Relevance of DIN 66399 Regarding NSA Standards
In the U.S., of course, standards for classified data or otherwise protected information and data destruction device compliance are determined, implemented, and monitored by the NSA—not by DIN.
Nonetheless, DIN 66399 is increasingly gaining merit worldwide, including the U.S., as reflective of best practices within the data destruction industry, and DIN is frequently referenced in U.S. data destruction requirements. What’s more, despite the use of DIN Security Standards being voluntary, they can become mandatory in certain instances when they are referred to in contracts, laws, or regulations.
For these reasons, it’s important to stay current on the structure of DIN 66399 and its compliance requirements when you are beginning your data destruction process.