Why Data Centers Need to Know About GLBA Compliance

May 14, 2019 at 1:10 pm by Heidi White

Data privacy and data protection rules are hot topics, having prompted us to consider exactly how we share, store, and dispose of our personal information from the individual level to the corporate level. Indeed, most (if not all) businesses must now adhere to some sort of data protection and privacy policy as set forth by industry standards. But what happens if your business interacts with other businesses that have their own policies and regulations to follow? Do you have to adopt those rulings for your business in order to continue working together? In most cases, the answer is yes.

Take data centers. If you operate such a business, you likely have stringent rules in place for securing the data you house on behalf of your clients. But, do you also follow the data regulations and privacy policies set forth by your clients? If your answer is no and your clientele is covered under the GLBA, you’ll need to revisit your information security plan immediately to incorporate GLBA compliance.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. The reason is that these organizations are significantly involved in providing financial products and services and therefore have access to personally identifiable information (PII) and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

shred-laptop

GLBA Compliance: Applicable to More than Just GLBA-Covered Businesses

In accordance with GLBA, organizations covered under this Rule must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

At this point, you may be asking yourself, “How does this affect my business as a data center?”

The data safeguard rules also apply to any third-party affiliates and service providers employed by the companies covered under GLBA. As such, it is the responsibility of the GLBA-covered company to ensure the same steps are taken by the affiliate third-party to protect the data they interact with or store on behalf of the company. This means companies under GLBA are going to select third-party service providers like yours based on those companies that are also set up operationally with the same steps and policies in place to safeguard sensitive data. Furthermore, organizations under GLBA have the authority to manage the way in which their service provider handles their customer information to ensure compliance with GLBA.

Cloud-based data centers therefore must comply with GLBA rules for security policies and enforcement or risk losing business from those organizations and other potential clients that are covered under GLBA. As the data center operator, you could go about this in one of three ways: 1) Create separate GLBA-compliant policies for each client organization based on their needs, 2) Allow each client organization to delineate the GLBA-compliant policies they’d like your business to follow and adopt those accordingly, or 3) Establish one set of GLBA-compliant policies that cover all aspects of data protection and privacy that can work for all client organizations and potential new business.

shred-ssd
An SSD before and after going through a SEM Model 2SSD solid state disintegrator

GLBA and Data Destruction

Just as there are plans and personnel in place to oversee the safeguarding of data while it’s in use, under the GLBA there must be a plan and personnel in place to oversee data destruction when the data has reached its end-of-life. These policies and plans for the proper disposal of secured data should be incorporated into the organization’s information security plan and should be regularly evaluated for risk as well. While this is a straightforward task for the GLBA-covered company, developing and enforcing GLBA-compliant data destruction policies for a third-party affiliate or service provider like a data center is a different story entirely.

Not only do you need to create a set of protocols around data and drive destruction for your data center, you need to be able to prove to your client organization that you can properly dispose of the drives the data is housed on as well as the data itself. This is because both data and drive disposal must be achieved so that neither the data nor the drive can be recovered or otherwise reconstructed after destruction. Since your data center already provides remote access to the information you store, it’s recommended that you purchase and maintain data destruction machinery at your center. This way, you also control where that sensitive information is handled during the data destruction event.

One of the simplest ways to ensure compliance during data destruction events is to work with the GLBA-covered organization to assign certain personnel to that task within your data center. For instance, assigned personnel within your company as well as the client company’s GLBA task force would be required to be on-site during data destruction events. Both parties would be responsible for enforcing data destruction at the data center, including the documentation of every data destruction event, to ensure compliance and alleviate liability in the event of a breach.

Security Engineered Machinery is the global leader in high security information end-of-life solutions including paper and IT shredders, crushers, disintegrators, and degaussers.

FISMA Requirements: Are You Compliant?

May 2, 2019 at 6:55 pm by Heidi White

All US-based organizations and agencies, whether public or private, must comply with certain information security measures when it comes to data storage and disposal. For government agencies and affiliated organizations, information security is paramount because of the sensitive nature of the information housed within these parties. To ensure the protection of proprietary United States data, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002.

FISMACalled the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

FISMA: Who It Affects and Why It’s Important

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

FISMA-cybersecurityFISMA, FISMAFailure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for your organization and a cut to your IT budget, as well as significant administrative ramifications to your organization. However, failure to comply with FISMA, especially when it comes breach-avoidance and proper data destruction, can have much grander and more catastrophic implications for you and your organization. Should any of your private, secured federal data be compromised and your organization was found to be noncompliant, there are serious civil and criminal federal consequences.

How to Comply with FISMA

C-suite executives like chief information officers, information security officers, senior agency officials, and agency program officials are all responsible and held accountable for ensuring compliance of FISMA within their respective organization.

cybersecurity-governmentAs stated in FISMA, these federal or otherwise federally-affiliated organizations must develop, implement, and accurately manage an information security program to safeguard the IT systems and any ensuing data that is collected stored, and transferred. This includes documentation of both the security systems and access granted to stored federal information.

The National Institute of Standards and Technology (NIST) outlines steps that these individuals should take to comply with FISMA:

  1. Track and categorize all information and media devices that must be protected.
  2. Set baseline security controls. Implement and document their use in the appropriate security system.
  3. Regularly refine these controls using a defined risk-assessment procedure as part of an annual review process.
  4. Authorize the IT system for processing within the selected group of authorized personnel and monitor the systems on a regular basis.

Complying with FISMA also extends into data destruction and device disposal practices. Full data destruction requirements can be found under the Federal Information Processing Standards (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems. According to FIPS, organizations under FISMA must: i) set and enforce policies for protecting all data and information systems, whether on paper or in digital format, ii) appoint authorized personnel for sole access of the IT systems and federal information and iii) ensure complete and total destruction of both the data and the media in which it is stored upon reaching end-of-life.

When it comes to the disposal of this federally-protected private data, FIPS also states that the organization must develop and enforce a set of policies for how the data and media should be destroyed, and accurately document every data disposal event, most easily accomplished by using an audit-friendly media tracking system such as SEM’s iWitness. It’s recommended to purchase on-site data destruction machinery and limit access to the data and the data destruction machinery to a small group of authorized personnel.

media-tracking
SEM’s iWitness media tracking system provides audit-friendly compliance with FISMA’s documentation requirements

Furthermore, when it comes to the data end-of-life cycle, the device in which the data is housed must also be destroyed via degaussing, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. And, you want to choose a vendor like SEM that has NIST- and NSA-approved data destruction machinery.

The Top 5 Ways Our Personal Data Gets Compromised

April 30, 2019 at 8:26 pm by Heidi White

It seems like we can’t go a week without hearing about a data breach or a situation in which personal data has been compromised. Unfortunately, cybercriminals are becoming more sophisticated in their antics and there is very little we can do to stop cyber attacks from happening.

We can, however, arm ourselves against hackers and identity thieves by first understanding the main ways in which our personal data can be compromised. Then, we can take necessary steps to safeguard our personal data and prevent criminals from accessing our private information.

Understanding How our Personal Data Gets Compromised

The fact of the matter is that there are many ways in which our personal data can become compromised. Yet, they all seem to boil down to five main reasons, some of which are under our control and some are not. 

The Top 5 Ways Personal Data is Compromised:

data-breach

1. Organizational Data Breach: In order to do business with us, organizations often require our personal information. From financial institutions and credit bureaus to medical groups, email and social media platforms, subscription-based platforms and data-storage cloud companies…the list goes on. We trust that the organization follows its outlined security protocols to keep our private information, private. When that organization fails to deliver on its security measures, as we’ve collectively witnessed with the recent onslaught of big-data and cloud-system security breaches, our personal information is subject to unauthorized access and theft. Be sure you trust the organization and understand its data management policies and procedures for how your personal data will be used, stored, secured and destroyed before sharing personal information.

2. Unsecured Internet Connection: Even though it’s enticing to stop in to your local coffee shop or public library to work remotely from your laptop or portable device, you should always check the security of the internet connection you’re about to use, first. Public or otherwise unsecured connections are the most susceptible to cyber-criminal activity; using an unsecured internet connection is like inviting the hackers to your doorstep. In short, if the internet connection can be accessed without a password, don’t connect to it. 

3. Unsecured Device: The same can be said for any device you use to access the internet. From smartphones to laptops and tablets and now smart home devices like Amazon Echo and Google Home; these devices hold troves of our personal and private data. Maintaining updated security software, firewalls and installing extra security like a two-way authenticator are imperative to ensuring your device is protected from outside penetration. Password strength also falls under device security. Passwords should never be the same, should include characters and numbers as well as letters and should never be something easily guessed about yourself. Even if you are using a secured internet connection, the lack of security or lack of updated security for your device is just another invitation for having your data stolen. 

4. Responding to a Scam: Scams are designed to look, read and feel as authentic a communication as possible. Email phishing, ‘robo’ calls and social engineering tactics like personality quizzes are just a few examples of the ever-growing scams hackers and cyber criminals have developed to steal your personal data—right from the horse’s mouth. We often (mistakenly) place our trust blindly into communication efforts like email, phone and social media because those are places we communicate with people and brands we do trust. Always be vigilant of the type of organization and the way in which they communicate with you before you answer. (The IRS, for instance, will never email you or call you for personal information.)

5. Data Storage and Disposal at Home: Probably one of the most overlooked ways in which our personal data can be compromised is how we manage our data at home. Do you have a safe, secure, and designated location at home for all your personal and private documents? (You should.) And, what do you do with sensitive information that you no longer need, like an expired credit card or an old bank statement? If your answer is to cut it up and throw it out, you’re putting your personal data at risk. This also holds true of old devices you want to get rid of. Consider the personal information amassed on the hard drives of your old laptop, tablet, smartphone or other data-storing device. If you don’t properly destroy the hard drive, the data can still be reconstructed and accessed long after you’ve disposed of the device (say, if you turned it over to a buy-back program or, worse, threw it in the trash for a dumpster-diver to find).

hard-drive-destruction
Security-focused organizations use hard drive shredders to destroy drives at end-of-life

Proper Data Destruction and Disposal

While there’s little you can personally do to protect your information from a data breach at an organization, ensuring that the companies with whom you do business have a comprehensive data security and destruction policy is a good first step. There are also ways for you to better control your own data security. Taking steps like assessing your internet connections and device security and thinking before you respond to any digital or telephoned communication can greatly help you ensure your private data stays secure and remains uncompromised. 

When it comes to home security measures and data disposal, we recommend you maintain a specific and private place for anything that contains your personal information, and that you bring end-of-life devices to a local data destruction day, often held at universities in the spring. Of course, if you are in the area, you are always welcome to bring your device to SEM for physical destruction. As a final note, if your personal data has been compromised and you’ve become a victim of identity theft, you should report the identity theft incident to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338.

Security Engineered Machinery Provides Compliance Solutions for the Destruction of CUI

April 5, 2019 at 3:22 pm by Heidi White

Secure data destruction device manufacturer supplies CUI line of paper shredders to provide compliance solutions for Executive Branch agencies and their affiliates to meet ISOO’s new CUI directive

nsa-listed-paper-shredder
SEM’s entire line of high security paper shredders comply with the new CUI paper destruction requirement

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to offer a complete line of high security paper shredders that meet requirements of the new Controlled Unclassified Information (CUI) Program instituted by the National Archives and Records Administration (NARA) and the Information Security Oversight Office (ISOO). The Program, which affects all Executive Branch agencies within the Federal Government as well as their affiliates that may handle CUI, mandates that paper containing CUI be destroyed to a 1mmx5mm particle, which is the same particle size as required by the National Security Agency (NSA) for classified and top secret information.

“We have been in frequent contact with NARA and ISOO, including presenting at their first CUI Industry Day held at the National Archives in Washington DC,” stated Todd Busic, Vice President of Security and Intelligence Operations at SEM. “As a result of our communication with these organizations and our commitment to the new directive, SEM has pledged to educate government agencies on the paper destruction requirement of the new CUI Program, which is quite different than what was once accepted as standard.”

“SEM has long been an industry leader in providing solutions on the cutting edge of new technology and on educating entities on new and updated data security regulations,” added Andrew Kelleher, President of SEM. “As a solutions provider to the Federal Government, we are fully committed to assisting NARA and ISOO in educating Executive Branch agencies on the new CUI directive and how best to achieve compliance.”

All unclassified information throughout the Executive Branch that requires any safeguarding or dissemination control is characterized as CUI and includes nearly all government agencies. Further, unclassified data such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Personally Identifiable Information (PII), as well as information relating to critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation all fall under this requirement.

Executive Order 13556 “Controlled Unclassified Information” created a program for standardizing the management of CUI across the Executive branch and designated the National Archives and Records Administration (NARA) as Executive Agent. As such, NARA is responsible for the implementation of the CUI program as well as agency oversight to ensure compliance. The Archivist of the United States in turn delegated these responsibilities to the Information Security Oversight Office (ISOO), which issued 32 CFR Part 2002 “Controlled Unclassified Information” to establish a comprehensive policy for managing all aspects of CUI, including disposal and other program-specific requirements. 

The rule affects not only all federal Executive Branch agencies that handle CUI but also all other organizations that in any way interact with CUI or have access to federal information on behalf of an agency. Therefore, these agencies must implement safeguarding or dissemination controls that are consistent with the CUI Program for any and all unclassified information. Prior to the CUI Program, agencies typically utilized agency-specific policies and procedures, of which there were many, resulting in inconsistently managed CUI.

The ISOO CUI directive has very clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. For paper, the NIST 800-88 destruction specification is the same as NSA requirements for classified information: a 1mmx5mm final particle size. Therefore, all CUI paper must be destroyed using a high security shredder that produces a final particle size of 1mmx5mm or less, such as those listed on the NSA/CSS 02-01 EPL for classified paper destruction. All of SEM’s high security shredders meet the new CUI mandate.

In an effort to provide clear communication and simplified purchasing for Federal Government agencies, all of SEM’s compliant paper shredders are now marked as being appropriate for CUI destruction. For more information, visit www.semshred.com/CUI.

The Impact of GDPR on US Companies and Organizations

March 28, 2019 at 4:59 pm by Heidi White

With GDPR (General Data Protection Regulation) in effect for almost a year now, even US-based companies are feeling its impact and the need to comply with stricter data security policies. Indeed, it likely won’t be long before the US creates its own set of national data privacy laws that all organizations will have to follow. In 2018, leading US-based technology companies called on the federal government to pass a law similar to GDPR, and in February of this year, the US Government Accountability Office made the same recommendation.

For those organizations that do business internationally, the European security mandate must be adhered to as if it were already a rule from the US federal government. If you don’t, the cost could be catastrophic.

gdpr-data-center

The Criticality of Following GDPR

Not complying means subjecting your organization to a fine equaling two to four percent of your global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million). But, it’s not enough to simply ensure your current privacy policies comply with GDPR. Breaches happen to even those US organizations whose existing practices meet those compliance requirements.

You should instead look at the bigger picture and take a thoughtful approach to your data security measures using GDPR as your guide. For one, the GDPR looks at data differently and poses that all private data is owned by the customer, not the business in which it was collected. For another, just because you’ve protected the data from breaches from within the US doesn’t mean the data from your global company couldn’t be improperly accessed outside the country.

Using GDPR to improve all your data-related policies can help you to find any gaps in your current security that could be closed, especially as it relates to data destruction and hard drive end-of-life practices. By putting the customer first over your business, as GDPR stipulates, you can better ensure the protection of personal and otherwise private information when it is no longer necessary to your business.

cloud-data-storage

Think about your customer data and how it is stored. If you’re using a cloud system (as almost all of us are), your data isn’t just housed in one data center, but many, and that data is duplicated across multiple drives to prevent against data loss if a drive fails. For businesses operating outside the US, that means data centers housing this private information you are charged with protecting are not just within the US, but across the globe. Your data destruction policies therefore must address practices for drive end-of-life—something that happens on a regular basis since these drives operate for 24 hours a day, seven days a week, all year long.

Even if you don’t house your data across global centers, but you do business with EU customers who share their private information with your company, your business still has access to their data and therefore you must protect it, even upon disposal. More importantly, under the GDPR, any EU citizen has the right to request their information be eradicated and you must comply and delete the data while maintaining protection even after disposal.

So, how do you ensure your data disposal policies comply with GDPR for drives as well as for customers halfway across the world?

GDPR-Compliant Data and Drive Destruction Best Practices

GDPR requires your organization to place someone within the company in charge of overseeing and managing the compliance policies. Dubbed the Data Protection Officer, this person will be your key authority on data disposal and drive destruction as it relates to the GDPR. Along with this person, you’ll want to create a small group of personnel also within the US that will have the authority to access your company’s data.

data-protection-officer

At the very least, your Data Protection Officer should be on-site for drive destruction that occurs outside the US, such as if a drive in one of the data centers where your data is housed reaches end-of-life. It is crucial to have this person on-site to ensure your GDPR-compliant data and drive destruction policies are being followed. For one, this ensures control over who is accessing your data. For another, without this person present, you are blindly trusting that your data and drives have been properly disposed of, and that the person carrying out the disposal is not lying to you when they tell you the proper practices have been completed. What if this person, who reported to you that the data was properly destroyed, instead sold that data to a third party in another country or to a cybercriminal on the dark web? Sure, you can take legal action against this person after the breach has come to light. But the fallout from the breach itself can’t be stopped once it’s begun.

It’s therefore extremely important to require your Data Protection Officer or someone within your authorized personnel group to be on-site for outside-US data and drive destruction, and that this person must provide an audit report for the data and drive destruction event.

For drive destruction within the US, your Data Protection Officer and authorized personnel should manage the disposal process from start to finish. It’s recommended that you create a private space within your organization to house a data and/or drive destruction machine, rather than work with a third party off-site. We have data destruction machinery that is compliant with GDPR stipulations. It may also behoove your organization to keep a record audit of the disposal to prove your company’s compliance to GDPR in the event a breach does occur.

hard-drive-shredder
Hard drive shredders are the most efficient and secure method of destroying rotational hard drives.

Weighing the True Costs of Data Breaches

We already mentioned the massive fine that will be issued by the GDPR Supervisory Authorities for an organization under GDPR that is found to be noncompliant when the breach occurs. Then there’s the typical range of costs associated with data breaches including legal fees for any counselling or action taken by the company in its defense, civil and criminal penalties under US federal regulations and, of course, potential lawsuit payouts. Factor in the non-financial costs to your business, such as a loss to your reputation and integrity, along with a loss in your customer base, and you’re looking at a total cost to your organization that could severely impact its existence.

The irony is that by planning for the worst and investing in a team as well as the necessary on-site data destruction machinery, you can save your company’s standing as well as its revenue. Operating under GDPR rules includes making sure your company has the proper data and drive disposal methods that are deemed GDPR-compliant. SEM has plenty of affordable options, and when all things are considered in the aftermath of a breach, this technology provides protection at a fraction of the price it would cost if you were to experience a breach.

Mechanical Engineer

March 4, 2019 at 4:02 pm by Heidi White

Job Description:

SEM is looking for an experienced Mechanical  Engineer to work in our engineering department. The successful candidate will be responsible for the overall product design, scheduling and time management of the project including external consultants and suppliers, testing and full implementation into production.  This candidate’s focus will primarily be mechanical design, but they will need to specify and integrate electrical components into designs and also interact with and manage electrical design consultants. A good working knowledge of electrical systems and components is strongly desired.  The position will also include other tasks when required. These may include the following: supporting production; supporting and troubleshooting products returned for repair; creating product documentation for new products; certification of products; etc.

Job Requirements:

  • Bachelor’s Degree in Mechanical Engineering or equivalent degree/experience.
  • 3 to 5 years experience in designing electro-mechanical devices or equipment.
  • Proficiency in 3D CAD modeling. SolidWorks is strongly preferred.
  • Must have some electrical experience, preferably with single and 3-phase AC and DC power systems. Some knowledge of PLC and microcontroller based systems, a plus.
  • Ability to read electrical schematics on both system level and PCB level.
  • Must have good knowledge of machining and a full comprehension of mechanical drawings.Machining experience, a plus.
  • Must possess strong writing, communication, analytical skills and attention to detail.
  • Strong mechanical aptitude and conceptualization skills, strongly preferred.
  • Must be able to work both independently and with vendors, consultants and other departments.
  • Must possess good computer skills and proficiency in MSWord, Excel, and Power Point.

SEM is a world leader in providing information destruction equipment to the US Government and Data Centers world-wide.

SEM offers a team oriented business casual work environment, with benefits including medical, dental, 401K, profit sharing and paid time off.  Please send your cover letter with salary requirements and resume to m.divirgilio@semshred.com.

What’s the ‘Din’ about DIN?

February 15, 2019 at 4:03 pm by Heidi White

Under a Microscope: Dissecting the Implications of DIN 66399

Covering everything from safeguards for children’s toys to design requirements for roller sports equipment, DIN Security Standards are also used to help define and standardize the different levels of security for international physical data destruction. Originating in Europe, these standards are continually making headway toward global acceptance as a benchmark to set the size and type of data that needs to be destroyed appropriately.

DIN-p-7
The DIN 66399 P-7 standard for paper destruction is 1mm x 5mm, the same as the NSA standard for the destruction of classified paper.

DIN 66399 specifically addresses standards for the destruction of data devices. This particular standard—which replaced DIN 32757—features over 40 variations based on protection classes, material/media and security levels. These three broad criteria are intended to drive the data device destruction process, guiding users so they can make informed end-of-life data disposal decisions.

Protection Classes

Companies or government entities must begin the destruction process by first determining what type of data needs to be destroyed. DIN 66399 has three protection classes that help you define the requirements and classification for your data:

Information from professional service firms including lawyers and attorneys would fall under Class 1 or Class 2, depending on the type of data.

  • Class 1: Normal Protection: Sensitivity for internal data that’s accessible by fairly large groups of people. Unauthorized information disclosure or transfer at this level could have negative effects on a company or make individuals vulnerable to identity theft and besmirching of reputation.
  • Class 2: Higher Protection: Sensitivity for confidential data that’s restricted to a small group of employees. Unauthorized information disclosure or transfer at Class 2 would have serious effects on a company and could lead to violation of laws or contractual obligations. Disclosure of personal data runs the risk of serious damage to an individual’s social standing or financial situation.
  • Class 3: Very High Protection: Sensitivity for confidential and top-secret data that’s restricted to an extremely small group of named individuals. Any information disclosure here would pose catastrophic, existential threats to a company/government entity and/or lead to violation of trade secrets, contracts and laws. Disclosure of personal data runs the risk of jeopardizing an individual’s personal freedom, safety, or life.

Material/Media Classification and Security Levels

Having determined the applicable protection class, you should subsequently consult DIN-66399 to classify the material on which your data resides and identify the corresponding security level. Per DIN standards, this data destruction security level will dictate the appropriate final shredding size for your media or paper documents.

DIN-66399-electronic-Media
SEM lists devices that meet every type of DIN 66399 destruction requirement. Click here for details.

DIN 66399 requirements by data device material are as follows:

  • Film: DIN 66399 Material Classification F refers to information in miniaturized form (e.g., microfilm), with security levels running (lowest to highest) from F-1 to F-7. For example, F-1 stipulates a maximum material particle size of 160 mm2, while F-7 stipulates a corresponding size of 0.2 mm2.
  • Optical Media: DIN 66399 Material Classification O pertains to information on optical data carriers (e.g., CDs/DVDs). Security levels run from O-1 (max 2,000 mm2) to O-7 (max 0.2 mm2).
  • Magnetic Media: DIN 66399 Material Classification T pertains to information on magnetic data carriers (e.g., ID-cards, floppy disks and diskettes). Security levels run from T-1 (media must be rendered mechanically inoperable) to T-7 (max 2.5 mm2).
  • Hard Drives: DIN 66399 Material Classification H pertains to information on hard drives with magnetic data carriers. Security levels run from H-1 (media must be rendered mechanically/electrically inoperable) to H-7 (max 5 mm2).
  • Electronic Media: DIN 66399 Material Classification E pertains to information on electronic data carriers (e.g., chip cards and memory sticks/flash drives). Security levels run from E-1 (media must be rendered mechanically/electrically inoperable) to E-7 (max 0.5 mm2).
  • Paper: DIN 66399 Material Classification P pertains to information presentation in original size (e.g., paper, films and printing plates). Security levels run from P-1 (max strip width of 12 mm or max particle surface area of 2,000 mm²) to P-7 (1 mm x 5 mm).

The Relevance of DIN 66399 Regarding NSA Standards

In the U.S., of course, standards for classified data or otherwise protected information and data destruction device compliance are determined, implemented, and monitored by the NSA—not by DIN.

Nonetheless, DIN 66399 is increasingly gaining merit worldwide, including the U.S., as reflective of best practices within the data destruction industry, and DIN is frequently referenced in U.S. data destruction requirements. What’s more, despite the use of DIN Security Standards being voluntary, they can become mandatory in certain instances when they are referred to in contracts, laws, or regulations.

For these reasons, it’s important to stay current on the structure of DIN 66399 and its compliance requirements when you are beginning your data destruction process.

NIST Guidelines vs. the NSA EPL on Hard Drive Destruction: Clearing Up Confusion

February 5, 2019 at 5:44 pm by Heidi White

hard drive destructionOver the 20 years I have been working for SEM, I have explained to customers and former military colleagues about the requirements for classified destruction. Lately these requirements have become stricter due to the ever-changing technologies. It’s not as easy as just putting your paper in a shredder or disintegrator and walking away knowing your classified is destroyed. Your classified now comes on many types of media. With so many types of media, a requirement had to be set forth by the National Security Agency (NSA) as to how these needed to be destroyed. We will discuss destroying hard drives as it relates to the National Institute of Standards and Technology (NIST) 800-88 and NSA Evaluated Products List (EPL) for Hard Drive Destruction.

For this blog, I will only discuss a brief overview for the destruction of hard disks (SCSI, ATA, SATA). NIST 800-88 explains on page 16, table 5-1 there are three methods of destroying hard disks. The first is to CLEAR. This method uses software to overwrite the storage space on the media with non-sensitive data (unclassified) and gives you the option to reuse your hard drive. The second is to PURGE. This method uses degaussing and the Secure Erase command present on some ATA drives. This method is very effective again for unclassified drives. The third method is PHYSICAL DESTRUCTION. This method is the standard for classified data and it destroys the drive by using disintegration, pulverization, melting, or incineration.

emp 1000HS
SEM’s NSA listed Model EMP1000-HS degausser is an ideal solution for rotational hard drives; however, degaussing has NO effect on solid state media.

The second paragraph of the NSA/CSS EPL for Hard Drive Destruction Devices states, “Hard drive destruction devices on their own DO NOT SANITIZE magnetic and/or solid-state storage devices; use of these machines is only authorized in conjunction with degaussing for routine magnetic hard disk drive sanitization or by themselves only in extreme emergency situations. Sanitization guidance for classified storage devices is located in the NSA/CSS PM 9-12 Storage Device Sanitization Manual.” This leads you to believe that degaussing could be used on a solid state drive (SSD). This is misleading! A magnetic field created by a degausser will cause no damage to an SSD. A degausser will only destroy information on a standard rotational magnetic drive.

ssd shredder
Classified SSDs must be disintegrated to a 2mm particle size.

In the third paragraph it states; “All shredders designed for hard drives are approved for deformation of magnetic hard drive platters. Shredding alone will NOT SANITIZE magnetic and/or solid state storage devices unless a two-millimeter particle size or less of the magnetic disk or solid-state memory chip is accomplished in accordance with NSA/CSS PM 9-12 Storage Device Sanitization Manual.” This states that if you have a hard drive or SSD, you can shred it to a 2mm particle to sanitize the drive. This is confusing. Although the NSA guidelines REQUIRE you to reduce a classified SSD to a two-millimeter particle to render the device sanitized, the machine that does this may not be able to shred a standard magnetic hard disk drive to this two-millimeter particle. This is due to the size and materials used in the manufacturing of a magnetic hard disk.

In conclusion, in order to completely destroy the information in a hard drive is a two-step process for a magnetic hard drive and a single step process for a SSD.

A magnetic disk MUST BE degaussed using an NSA approved degausser THEN physically destroyed. This second step of physical destruction is left up to the end user and can vary greatly. It can be as simple as drilling a hole in the drive, hitting it several times with a hammer, or using a hydraulic punch or hard drive shredder. A solid state drive MUST be shredded to a two-millimeter particle and cannot be degaussed.

If you have any questions or would like to talk to a security professional, feel free to reach out to me or any SEM representative.

Karl Lotvedt, DC Region Sales Support, has over 20 years of experience with SEM, including targeted expertise in understanding military procedures and requirements. Prior to joining SEM, Karl spent 20 years in the United States Air Force including over five years in procurement. Now retired from the Air Force, Karl currently serves as an Air Force resource advisor. Karl received his AA and CIS from National College in Rapid City, SD.

The Criticality of FACTA-Compliant Data Disposal

January 31, 2019 at 8:58 pm by Heidi White

Along with the Fair Credit Reporting Act (FCRA), creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information must follow the regulations set by the Fair and Accurate Credit Transactions Act (FACTA). FACTA is an addendum to the FCRA and limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual in which the information pertains from identity theft.

FACTA-Compliant Data Disposal

0101 crusher
Destroying a rotational hard drive in a SEM 0101 crusher

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data.

The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information. Appropriate disposal methods for electronic media include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. As with the actual data, the electronic media must be rendered unreadable and otherwise unable to be reconstructed.

If you’re working with a third party data disposal company to comply with FACTA data destruction, you are required to conduct an independent audit of the process to ensure the integrity of the disposal and to ensure complete data destruction.

Lastly, you may need to incorporate your data disposal policies into your organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

Consequences of a FACTA Violation

FACTA-data-disposal
Failing to adhere to FACTA data disposal requirements can lead to hefty fines

Failure to comply with FACTA for either the data or the drive destruction can result in major damage to your company’s reputation and financial standing. If you become victim to a data breach and have not maintained FACTA regulations, the affected individuals of the breach can seek damages under the law. Your organization may face a class action lawsuit and fines up to $1,000 per individual violation, regardless of whether the persons suffered identity theft.

Moreover, the reputation of your company may be tarnished by the data breach and subsequent FACTA violations. This could mean the loss of existing customers and potential new business, furthering your organization’s financial loss and eroding economic stability.

When it comes to working with third-parties for data destruction, however, there is a reality of risk that needs to be considered. If your third-party experiences a breach, your organization maintains its sole liability for the data you have collected and stored; meaning you will still face civil penalties, and not the third-party.

It is therefore highly recommended that you partner with a vendor like SEM who can provide both data and drive destruction devices for your organization to use and keep in-house. By controlling who, where, when and how your data and drives are destroyed, you can better ensure data protection at every step during destruction.

What’s the Scoop on the New NSA DVD/Blu-ray Disc Standard?

January 25, 2019 at 8:03 pm by Heidi White

nsa Blu-ray shredderThis past December, the NSA released a complete new set of Evaluated Products Lists for secure document/media destruction devices, all dated 06 November 2018.  Such an extensive new EPL posting was quite a surprise to end users and equipment makers.  Typically, these lists come out in one at a time, often with years between updates.  Seven of them released all at once was unusual and unexpected.

Even more of a surprise was a change in the particle size standard for destroying classified DVD and Blu-ray Discs (BDs).  The change, apparent in the new EPL for Optical Media Destruction Devices, states the new standard as “DVDs and BDs to a maximum edge size of 2mm or less.”  This sudden change has led to a flood of inquiries at SEM from government organizations, so it seemed a good time to address this particular change.

NSA listed DVD shredder
SEM Model 0202 OMD/SSD and OMD/SSD-C shred optical media to less than 2mm and are listed on the 2018 NSA EPL.

The existing CD particle size standard, “CDs to a maximum edge size of 5mm or less,” was not changed.  As a result, looking at the list of products on the EPL, there is a column noting the acceptable materials that indicates whether each device is good for CD, DVD, BD, as well as other non-optical materials for which some of those machines are certified. A key takeaway is that NSA listed optical media destroyers are no longer all the same in terms of what they can destroy.  Users will need to check the EPL to make sure all items they want to destroy are approved.  This could make for a lot of confusion when looking at products on the market.

Yet another uncertainty is the timeline for users to make a changeover.  The EPLs do not give a transition period to switch to new machines, or grandfather the use of existing equipment.  In the past, when the NSA changed a standard for shredders or media destroyers, there was some time allowed to comply.  So far, there has been no announcement of that for the new DVD/Blu-ray standard, but many government entities are hopeful for such an announcement.

What does this mean for the status of existing optical media destroyers in use and on the market? The change is significant.  The great majority of optical media shredders that are in use are no longer shown on the EPL as approved for DVD or Blu-ray.  This includes the most popular optical media shredders on the market and almost all document and multi-media disintegrators. Producing a 2mm particle with no oversized particles is simply not possible with those machines.

DVD NSA EPL
SEM Model 0200 OMD/SSD-C is a cabinet version of the NSA listed CD/DVD/BD shredder

Only a few machines on the EPL for optical media destroyers have approval for DVD and BD. Of those, most are solid state media destroyers, which are large, expensive machines that cost $65,000 and up.  Users seeking a compact, affordable machine to destroy optical media can choose a machine like the SEM Model 0200 OMD/SSD.  Even better is the recently announced version of this machine with a more office-friendly configuration, the Model 0200 OMD/SSD-C.  The new version will better suit most customers with its attractive cabinet and better sound proofing for the vacuum versus the tabletop style of the standard version.  Both versions of the 0200 grind optical discs (not just the surfaces) into the NSA required particle size, which looks like beach sand.  The waste is collected and bagged by a vacuum.  These devices are not quite as user friendly as standard optical media shredders, like the SEM Model 0202 OMD.  Users who only have CDs, no DVDs or Blu-ray, will surely be happier with a machine like the 0202 OMD.

As an aside, another change on the optical media destruction device EPL, and the other EPLs, is that the NSA is no longer publishing official throughput rates.  In recent years these rates were on the EPLs.  This was a way for folks to check the claims made by vendors on capabilities.  The EPLs now direct users to the manufacturers to get throughput data.  In terms of optical media, the rating in question is the number of discs per hour.

At the end of the day, the NSA EPL is the golden standard for all types of secure data destruction, whether government or commercial, and must be followed for the destruction of classified and top secret data. SEM has over 50 years of experience with the destruction of sensitive and secret data and is here to help anyone who has questions on or needs assistance with the new EPLs.

Bob Glicker, Mid-Atlantic Regional Sales Manager, has over 35 total years of sales experience with over 23 years of targeted government sales experience. Bob prides himself on providing the highest level of service to his government clients, and he enjoys working with key resellers. Bob received his BS in Chemistry from the University of Maryland, College Park. In his free time, Bob enjoys a variety of activities including gym workouts, cycling, reading, and listening to podcasts. He is also an avid science lover, an amateur juggler, a vegetarian, and the quintessential family guy.