Classification Breakdown: Match Your Data to Its Destruction Method

December 11, 2020 at 8:15 am by Amanda Canale

In the age of social media, it’s quite normal for many people to put their entire lives online. Whether it’s someone spilling all of their secrets in forms of podcasts, vlogs, and blogs or sharing too much about their assets and wealth in an Instagram post, it doesn’t seem like there is much that isn’t shared with the world wide web.

However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially when it pertains to our National Security. Let’s break down all of the different levels of information out there and the varying security classifications applied in order to properly identify and safeguard this information.

Top Secret information (TS)

Top Secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.

When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to securely destroy this information? To ensure the highest security data destruction, the federal government requires that classified data only be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. You can find more information about NSA-mandated destruction of storage devices here.

Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA listed paper shredders, disintegrators, degaussers, and IT crushers are fully equipped to securely destroy all of your end-of-life data.

Sensitive Compartmented Information (SCI) and Special Access Program (SAP)

Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information that is controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a Top Secret (TS) clearance.  This information ranges from intelligence sources and methods to analytical processing and targeting, as well as information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL listed devices.

nsa-listed-paper-shredder

Communication Security (COMSEC)

Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, meaning using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security, and the physical security of COMSEC material.

information-destruction

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies, and regulations.

On November 4, 2010, the Executive Order 13556 “Controlled Unclassified Information” was established to create transparency throughout the federal government and non-government stakeholders as previous characterizations of sensitive but unclassified information (SBU) was not always consistent. This classification process standardizes these practices across over 100 different government departments and agencies, ranging from state and local, to tribal and private sectors. The Order also mandated that end-of-life media must be destroyed to NIST 800-88 specifications. For paper, this specification is a 1mm x 5mm particle size, which is the same as for classified information.

Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration, and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.

Personally Identifiable Information (PII)

Personally Identifiable information (PII) is any kind of information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.

SOX Act

The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs, and other specific information are all personally identifiable.

While data breaches should always be taken seriously, a breach of this kind of information can put the exposed people at an extremely high risk of identity theft and fraud. Take for example, the recent security breach at financial institution, Morgan Stanley. The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ PII. You can read more about our thoughts on this breach here.

Personal Health Information (PHI)

Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.

PHI is an umbrella term given to any kind of health information that is dated, received, transmitted, or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates in relation to healthcare operations and payment. This information ranges from Social Security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.

Whether you’re looking to destroy personally identifiable, controlled unclassified, or top secret information, it is always best practice to follow data sanitization mandates. At SEM, we have wide array of high-quality end-of-life data destruction devices that not only meet NSA/CSS specifications, but are on the NSA/CSS Evaluated Products List, and follow the Controlled Unclassified Information (CUI) Executive Order.

Any one of our exceptional sales team members are more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.