Are you confused over which shredded particle size is sufficient to meet your corporate security needs? Is anyone monitoring or providing guidance to help you determine this?
While there are many new laws that force businesses to implement data security programs, they fail to provide specific guidance on an acceptable shred size. For example, the HIPAA law that governs information security in the Health Care industry simply suggests that the health care provider must implement an information security program to protect the identity of the customer/patient. Unfortunately, the law does NOT provide shred size specifics or guidance. This open ended guideline leaves health care suppliers with uncertainty on the most effective shredded particle size. This same “lack of guidance” is apparent in the other laws such as FACTA, Sarbanes-Oxley, GLB, etc. that govern private industry. So what’s an organization to do?
GUIDELINES TO CONSIDER
While many of us poke fun at the US Federal Government for their regulation and guideline adherence, one thing is for certain, they have their act together when it comes to providing guidelines on information security. The Government provides very specific information on methods and particle sizes for classes of information that reside on virtually all forms of media. For example, if a Government agency is dealing with Classified or Top Secret Data, the agency can look to the NSA ( National Security Agency ) (see http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml) to find specific guidelines on the acceptable methods to destroy data that resides on paper, optical disks ( CDs/DVDs) , magnetic media( Hard Drives, Data tapes), etc.
For Non Classified information – aka CUI- Controlled Unclassified Information (see http://www.archives.gov/cui/) the Government once again provides specific guidelines on acceptable methods and final particle sizes to follow.
But what about Private industry? Since there are no specific guidelines, private industry looks for guidance from Trade Associations such as (NAID), the National Association for Information Destruction or from guidelines such as DIN Levels which are standards used in Europe. NAID typically provides cross cut particle size guidance to mobile shred service companies. DIN levels define data in “protection classes” and are more applicable for “in-house” shredding programs. Most organizations would fall under Protection Class 2 which calls for “high protection requirement for confidential data”.
CONCLUSION….. If you are a Private Industry organization and wish to implement an in-house shredding solution, the most effective solution would be to follow the lead of our Federal Government in the destruction of CUI information and select a CROSS CUT shredder. In addition, if opting for a shed service, the NAID guidelines further suggest a Cross Cut shred size no larger than 3/4” x 2-1/2” however; the DIN 66399 standards recommend a minimum shred size for “especially sensitive and confidential data” to be a level P-4 shredder that produces a particle no greater than 4 mm x 40 mm (Approximately 5/32” x 1 5/32” ). Most “Commercial Grade” (not the machines you buy in retail stores) Cross Cut shredders produce particle sizes that are in the 5/32” x 1-5/32” particle size range.
Bottom line, before you pull the trigger on a paper shredder to satisfy the “security requirements” of the laws that govern your industry, look to purchase a Commercial Grade, Cross-Cut shredder with a small enough particle size ( i.e. 5/32 x 1-5/32 ) to be effective…..just like the US Federal Government.
For a variety of Cross Cut Paper shredders and other solutions to effectively destroy data on virtually all forms of media, visit the SEM website at www.semshred.com