What to Expect During a Compliance Audit — and How SEM Solutions Can Help

June 24, 2025 at 8:00 am by Amanda Canale

Compliance audits are critical checkpoints for organizations that handle sensitive data, particularly those in the government, finance, healthcare, and other highly regulated sectors. These audits verify that your data security practices meet the standards laid out by applicable laws and frameworks—from NIST 800-88 to NSA/CSS standards.

At Security Engineered Machinery (SEM), we specialize in helping both federal and commercial clients navigate this increasingly complex space with confidence (and in compliance).

Critical Shreds

  • Audits focus on media sanitization. Compliance regulators want documented proof that data-bearing devices are properly destroyed.
  • NSA-level destruction is best. SEM recommends that physical destruction to NSA/CSS specs for all end-of-life media.
  • Documentation and training are non-negotiable. Staff must understand and follow stringent destruction and chain-of-custody protocols.
  • Equipment must be regularly maintained and serviced. Malfunctioning solutions can greatly jeopardize compliance.

Understanding Compliance Audits in Data Security

The first step is understanding what a compliance audit is and what it entails. A compliance audit is a formal evaluation that is conducted to ensure that an organization’s data handling and destruction policies align with relevant industry regulations or government requirements. For federal agencies, this typically involves ensuring strict adherence to NSA/CSS specifications for physical destruction of classified media. In the commercial space, however, there’s more variation depending on the organization’s sector:

  • HIPAA (Health Insurance Portability and Accountability Act) for healthcare data
  • GLBA (Gramm-Leach-Bliley Act) for financial institutions
  • PCI DSS (Payment Card Industry Data Security Standard) for organizations handling cardholder data
  • GDPR (General Data Protection Regulation) for companies handling EU citizens’ personal data

A critical aspect of these audits is media sanitization, also known as the process of securely destroying data storage devices (HDDs, SSDs, optical, etc.)  to ensure that the end-of-life information is irretrievable. According to NIST 800-88, organizations are required to “sanitize” end-of-life media by either clearing, purging, or destroying it, depending on the confidentiality of the information. However, at SEM, we believe all end-of-life media should be physically destroyed to the NSA standard as it enforces the highest level of security, ensuring that the data is forever irretrievable.

Hand pointing at compliance icons displayed on a virtual screen, illustrating digital data regulatory concepts.

Common Questions During a Decommissioning Audit

Given the increasing use of digital data storage devices, auditors are increasingly focusing on how organizations manage the destruction of HDDs, SSDs, optical media, and other forms of e-media. Some typical questions you can expect during a compliance audit include:

  • How are your HDDs, SSDs, and other media destroyed?
  • Where is your media destroyed?
  • Who has access to sensitive data, and how is it managed and recorded?
  • Do your destruction methods align with NSA or NIST regulations?
  •  Are you using NSA/CSS EPL-listed equipment?
  • Do you maintain a verifiable chain of custody for media from when deemed end-of-life through destruction?
  • Can you provide documentation or logs to prove destruction was successful?

It’s important to note that these are not just technical questions—they’re legal and compliance concerns. Failing to answer them adequately can result in penalties, failed audits, or even breaches of contractual or legal obligations.

Chain of Custody and Documentation Tools

One of the biggest audit pain points is chain of custody. Auditors seek out clear evidence that from the moment a data-bearing device is taken out of service to its final destruction, every step in its handling was secure, documented, and tamper-proof. This means being able to track who accessed the device, where it was stored, how it was transported, and when destruction occurred.

Without this level of visibility and efficiency, organizations risk non-compliance, even if the destruction itself was performed properly. Documentation tools are equally critical, providing time-stamped records, asset identifiers, and confirmation that destruction was completed in accordance with policy. These records serve as proof that data disposal practices are efficient in meeting legal and regulatory standards and are often a required component of audit submissions.

Inconsistent documentation or missing data can result in audit findings, fines, or legal exposure, especially under regulations with strict accountability clauses like HIPAA, GLBA, and GDPR. And if the data is classified or top-secret? The repercussions of a breach or leak could threaten national security.

A woman types on a laptop displaying a list of documents on the screen.

Training and Education

An effective data destruction program goes beyond having the right hardware. It includes understanding how and when to destroy assets, how to properly handle materials, and how to educate internal stakeholders. This makes training and education essential elements of a compliant data destruction program. Personnel must be familiar with regulatory standards such as NIST 800-88 and NSA/CSS specifications, and they must know how to identify, handle, and process media that is at the end of its life.

When staff are unclear on chain of custody procedures or destruction protocols, it can lead to inconsistent practices and gaps that auditors will quickly notice. Proper education helps ensure that processes are applied uniformly across departments and locations, reducing the risk of human error. It also fosters a culture of accountability where employees are empowered to follow and improve secure data handling practices. Ultimately, a well-trained team is one of the strongest defenses against audit failures and regulatory penalties.

Preventive Maintenance and On-Site Support

Nothing derails an audit faster than non-functioning equipment. Even if all policies are followed and documentation is complete, malfunctioning or poorly maintained equipment can gravely jeopardize compliance.

Preventive maintenance plays a key role in ensuring that shredders, crushers, degaussers, and other systems operate within the performance standards required by applicable regulations. Over time, even high-quality equipment can drift out of spec, potentially rendering data destruction incomplete or noncompliant. Regular inspections, service schedules, and performance testing help confirm that destruction methods remain effective and verifiable.

Additionally, having access to timely on-site support can prevent operational delays during critical periods, such as audit windows or large-scale decommissioning events. Properly maintained equipment not only protects the integrity of the destruction process but also demonstrates to auditors that the organization takes its compliance responsibilities seriously.

The Bottom Line

Compliance audits don’t need to be stressful—especially when it comes to data destruction. With regulatory scrutiny on the rise, particularly in light of growing cybersecurity threats and data breaches, it’s never been more important to ensure your media sanitization and chain of custody practices are airtight.

SEM partners with organizations across industries to help them prepare for and succeed in compliance audits. With our NSA/CSS-approved destruction equipment, advanced documentation tools, and a team of experts offering on-site support and training, we help turn audit readiness into a repeatable, scalable part of your data lifecycle.

When compliance is on the line, SEM has your back.

5 Mistakes Companies Make When Retiring IT Equipment (and How to Avoid Them)

May 22, 2025 at 7:14 pm by Amanda Canale

As technology evolves at a relentless pace, organizations are continually refreshing their IT infrastructure to stay competitive, secure, and efficient. But with the excitement of onboarding new systems comes a less glamorous yet equally critical task—retiring outdated IT equipment. This phase is often overlooked or rushed, leading to significant security, compliance, and environmental risks. Retiring IT assets isn’t just about unplugging and discarding them; it requires a thoughtful, documented, and secure process.

Here are five common mistakes companies make when retiring IT equipment, and how to avoid them.

Assuming Data Is Gone After Deletion

Perhaps the most pervasive and dangerous misconception is that data is permanently erased simply by deleting files or formatting hard drives. In reality, deletion simply removes the pointers to data, not the actual data itself. Without proper data sanitization protocols, sensitive corporate or customer information can still be recovered using forensic tools—even from devices that appear “clean.”

To prevent this, organizations must implement certified data destruction processes that meet or exceed standards such as NIST 800-88 or NSA, depending on the industry and classification of the data being destroyed. This can involve physical destruction, such as shredding, crushing, or disintegrating, and degaussing. However, if the drive contains classified information, it should be degaussed then physically destroyed, per the NSA. This two-way destruction method ensures complete and total obliteration.

Proper documentation should include both the data’s chain of custody and the destruction process. It’s also important to retain certificates of destruction for auditing purposes. Relying on basic deletion is a gamble no organization should take, especially with data privacy regulations tightening worldwide.

Shredded IT equipment inside an industrial shredder, illustrating improper disposal practices during IT asset retirement.

Overlooking Nontraditional Data Sources

When thinking about data-bearing equipment, organizations typically focus on obvious items like servers, desktops, or laptops. However, nontraditional data sources often fall through the cracks. Devices such as printers, copiers, VoIP phones, network switches, external hard drives, and even smart devices can store sensitive configuration data, credentials, or internal communications.

The root cause of this oversight is often a lack of a comprehensive IT asset inventory. Without knowing exactly what equipment exists and what data it might contain, companies risk leaving information behind during decommissioning. Creating and maintaining a detailed asset inventory—updated continuously throughout the hardware lifecycle—is essential. It allows for thorough tracking and ensures every device is accounted for, assessed for data sensitivity, and handled properly during retirement.

Not Verifying E-Waste Recyclers

Environmental responsibility is an increasingly important part of corporate social governance, and most businesses strive to dispose of retired IT assets through recycling partners. However, not all e-waste recyclers operate ethically or securely. Some may claim to responsibly dispose of electronics but instead export hazardous waste to developing countries or improperly dispose of data-bearing devices, creating significant brand and legal risks.

Due diligence is critical when selecting a recycling partner. Look for certifications such as R2 (Responsible Recycling) or e-Stewards, which ensure adherence to high environmental and data security standards. Auditing the recycler’s practices, requesting references, and visiting their facilities when possible can also help verify their legitimacy. Partnering with a reputable recycler protects both your company’s reputation and the planet.

Pile of discarded electronics and IT equipment in a warehouse, representing the risks of using uncertified e-waste recyclers for IT asset disposal.

Delaying Decommissioning

Outdated or unused IT assets often sit idle in storage closets, server rooms, or even employee homes for extended periods. This delay in decommissioning can create a host of problems. Unsecured, unused devices are prime targets for data breaches, theft, or accidental loss. Additionally, without a timely and consistent retirement process, organizations lose visibility into asset status, which can create confusion, non-compliance, or unnecessary costs (like continued software licensing or maintenance).

The best way to address this is by implementing in-house destruction solutions as an integrated part of the IT lifecycle. Rather than relying on external vendors or waiting until large volumes of devices pile up, organizations can equip themselves with high security data destruction machinery—such as hard drive shredders, degaussers, crushers, or disintegrators—designed to render data irretrievable on demand. This allows for immediate, on-site sanitization and physical destruction as soon as devices are decommissioned. Not only does this improve data control and reduce risk exposure, but it also simplifies chain-of-custody tracking by eliminating unnecessary handoffs. With in-house destruction capabilities, organizations can securely retire equipment at the pace their operations demand—no waiting, no outsourcing, and no compromise.

Failing to Establish a Chain of Custody and Involve Compliance Teams

Retiring IT equipment isn’t just a logistical or technical task—it’s also a matter of governance and accountability. Many organizations fail to establish a documented chain of custody when IT assets are moved, stored, or handed off to third-party vendors. This lack of visibility and traceability increases the risk of data loss, theft, or mishandling.

Furthermore, failure to involve compliance, legal, and security teams in the decommissioning process can lead to overlooked regulatory obligations or missteps. In industries governed by HIPAA, GDPR, PCI-DSS, or similar regulations, improper data disposal can result in hefty fines and reputational damage. In the government sector, improper disposal can result in far worse scenarios, such as the leak of classified national secrets.

To avoid this pitfall, organizations must formalize their decommissioning policies and workflows. This includes tagging each asset, tracking its movement through every stage of decommissioning, and involving all relevant stakeholders. A documented chain of custody ensures accountability and supports audits or investigations, should they arise. Including compliance and security teams in the planning stages helps identify applicable regulations and ensures proper adherence from start to finish.

Two data center employees reviewing a clipboard, illustrating the importance of chain of custody documentation and cross-team collaboration while retiring IT equipment.

Why In-House, High-Security Data Destruction Matters More Than Ever

All of the above mistakes share a common theme: a lack of control. The more hands data passes through, the higher the risk of exposure. That’s why in-house high-security data destruction is not only a best practice—it’s becoming a necessity.

By investing in high security data destruction solutions that are designed specifically for in-house data destruction, companies maintain full custody of their data from start to finish. Physical destruction solutions such as NSA/CSS-listed disintegrators, degaussers, and hard drive shredders allow businesses to render data unrecoverable before any asset leaves the premises. This eliminates the reliance on third-party vendors, reduces the risk of chain-of-custody failure, and reinforces compliance with the most stringent data protection regulations.

Moreover, in-house solutions offer operational flexibility and peace of mind. Assets can be destroyed immediately, in a controlled environment, by trained staff—ensuring sensitive data never leaves corporate oversight. For sectors like defense, healthcare, finance, and critical infrastructure, this level of control isn’t just helpful—it’s essential.

Organizations that take data destruction seriously are recognizing that outsourced convenience doesn’t always equal security. As threats to information security become more sophisticated, the safeguards must follow suit. Security Engineered Machinery’s (SEM) data destruction equipment is a proactive investment in compliance, reputation, and operational integrity.

In the end, how an organization disposes of its IT assets says just as much about its values as how it deploys them. When the goal is to protect data at every stage of its lifecycle, the most secure option is the one that never lets it out of your sight.

One Person’s Trash Really is Another’s Treasure

June 15, 2020 at 9:02 pm by Flora Knolton

It is typical for companies to focus more on the security of their digital network than on physical protection of documents and data. Physical security tends to fall by the wayside even though it’s fairly easy for criminals to go dumpster diving. If the organization doesn’t end up losing all important assets in a breach, it’s common it could still suffer from irreversible brand damage. In 2007, Radio Shack dumped more than 20 boxes containing personally identifiable information (PII) for thousands of customers. A man found rummaging through the dumpster found the boxes and reported it. Shortly following, the State of Texas filed a civil lawsuit against Radio Shack for exposing its customers to identity theft. The state’s lawsuit claims the company “failed to safeguard the information by shredding, erasing, or other means, to make it unreadable or undecipherable before disposing of its business records.”  Cases like this are common, and identity theft has become a major problem worldwide.

The Recycling Myth

Many believe that recycling is a very different process from trash processing and somewhat safer in terms of data security. This understanding is far from the truth. People mostly understand that trash ends up in landfills where anyone could find sensitive material. At the same time, many people often think that recycling is safer for confidential documents since they will be destroyed and repurposed instead of being shipped to a landfill. In actuality, recycling is not transported securely. In fact, recycling trucks look like every other garbage truck, where documents and other personally identifiable information (PII) will be blowing around in the truck before being dropped off at the recycling facility. On average, recyclables sit on sorting floors from anywhere from 2-4 weeks before being destroyed. The remnants don’t sort themselves either; dozens of employees’ sort what the machines cannot and will have access to documents before they are destroyed. As opposed to destroying the documents yourself, there is absolutely no way of proving sensitive information has been destroyed when you send it to the recycler.

Protect the Customers and Employees, Protect the Business

Consumer privacy legislation has been increasing around the United States within the last few years. Recent laws such as the NY SHIELD Act and the California Consumer Privacy Act (CCPA) are giving consumers more rights relating to their access and deletion of sharing personal information that is collected by businesses. These laws give consumers a large amount of freedom over their personal information, which could open up a host of severe penalties and lawsuits for companies that fail to comply with these regulations. This trend is also being seen in other nations such as the European Union’s General Data Protection Regulation (GDPR) and India’s Personal Protection Bill, and it is expected to continue on this uptick everywhere in the near future. Knowing this, there is a heavier weight on organizations to protect customers’ personal and secure information or the company will be at risk for mishandling said information and could be subject to harsh monetary penalties. Employees have the same legal right to privacy as customers and expect their employer to keep their information secure as well. At the end of the day, the stakeholders will pull the most weight, and it’s important to treat their information the same as how you’d want your own sensitive information dealt with/disposed of.

Secure Your Disposal of Records

Businesses have a choice when it comes to how they want to dispose of their paper records, usually weighing the convenience, cost, and legal risks involved with complying to their industries’ standards or regulations. In U.S. government law, secure disposal is required when a record contains classified, controlled unclassified (CUI), or personally identifiable information (PII) such as address, phone number, names, emails, social security numbers, and more that can be used to identify an individual.  It’s easy to consider the cost when opting for a third-party shredding company, but can you really be certain that all the documents are being shredded? It’s impossible to tell.  Despite widespread adoption of electronic health record systems, most hospitals still use both paper and electronic documents for patient care. Healthcare cyberattacks overall are on the rise, with nearly 32 million patient records breached in 2019.  It’s crucial to find a balance between digital security and physical destruction in the workplace. Increasing communication between colleagues so they are informed of appropriate processes can help mitigate potential breaches in regard to disposing of information no longer retained by the institution.

No matter what the industry, at SEM we have many high-quality NSA Listed/CUI and unclassified paper shredders to meet any regulation. For those looking for an eco-friendly device that’s also listed on the NSA EPL for Paper Shredders, we recommend the Model 1201CC High Security Shredder. It was tested oil-free by the NSA for classified document destruction due to its specially designed cutting head that is also fully replaceable, lowering total cost of ownership. Destroying physical data in-house  may seem like a costly purchase in the short term but could send up saving a company exponentially in the long run by preventing breach. With regular maintenance, a quality shredder such as the 1201CC can last a lifetime. We’re happy to help answer any questions concerning personal or regulated shredding needs.

Security and Recycling Don’t Have to be at Odds

December 21, 2019 at 3:01 pm by SEM

When people think of information destruction they typically would not associate it with being environmentally responsible. However, this is completely untrue. In today’s society there are many alternative solutions to help become more environmentally friendly.

Paper

When shredded into a cross cut or strip cut particle, paper can be put into the recycling stream and be used to make new paper. In the past, when paper was shredded into a classified particle, the only option was a landfill. This was because paper is extremely hard to handle once it is this size and it has little, if any, recyclable value.

Today we have the option of briquetting. Briquetting is a solution that compacts the confetti like paper into small cylindrical samples which is a 9:1 volume reduction. More importantly, a briquette is something that has recyclable value. These briquettes can be used by Paper Mills as filler for cardboard boxes and manila folders. Also, a study has been performed by Penn University in which they found that a briquette sample has the burn value of soft coal, with half the carbon emission.

Hard Drives

In today’s society we are storing more and more information on hard drives and other forms of media. Because of this, there has been a large demand for hard drive shredding. After being shredded, you may think that the end particle is useless and wonder what to do with it. This shredded hard drive actually has a recyclable value in the aluminum, magnets and PC board. The market for this is always fluctuating, but you will typically see an average recyclable value of $.35-$.40 per pound.

Other Forms of Media

Optical Media – These plastics can be recycled

Floppy Disc – The metal hub and plastic outer casing has recyclable value

Blackberries/PDA’s – Once the Battery is removed, the plastics can be recycled

Computers/Printers – The CPU boards and plastics can be recycled

In the world today it is very important to become environmentally friendly and implement this any way possible. One thing I recommend is when you have something that you plan to destroy, check with a local recycling company because it may actually have a recyclable value.

Credibility Counts, Ask Around

April 9, 2019 at 3:44 pm by Paul Falcone

We’ve all had a point in our lives when we need to purchase something that we know we need but don’t know much about.

Maybe you’re in a store looking for something, with eyes frantically browsing the shelves looking at all the different items. Trying to distinguish the difference between all the various products, versions, and makes. As the choices add up, maybe you decide it’s best to ask for someone’s opinion. Someone who works at the store you’re in happens to be walking down the aisle and you signal for help. It is in this moment that you start deciding if this person has the knowledge to be able to help you or not.

Because after all, they could have just as little knowledge as you about this product.

After having a discussion you discover that it was true, the employee wasn’t as knowledgeable on the product to make you feel comfortable with a purchase. So you head home with empty hands, deciding that you’ll take your questions elsewhere. Somewhere with all the answers in the world.

The internet.

The internet can be an equally overwhelming place when trying to find accurate information about a product. In a world that is becoming more and more connected, the amount of information that is available to us is growing exponentially. How can you sort through all of this information and deduce what is accurate and honest information, especially with people out there trying to scam and get the best of you?

Sites like Amazon and Google try to combat this by showing us user review scores and comments of people who have purchased items. But even these can be manipulated. So when it seems like it’s impossible to find the information, who can you really trust?

How do you know you can trust a product?

Ask around. They say word of mouth is the best kind of marketing and real people who have used the products can give you the most honest answers. Chances are if you’re in the market for a high security destruction device, you know someone who has worked with Security Engineered Machinery, the global leader in high security information end-of-life-solutions for over 50 years.

At Security Engineered Machinery, we have the experience to answer any questions you may have concerning your sensitive to classified destruction needs. Most of our sales team has been in the industry for over 20 years. We have more experience creating destruction solutions than any other company. We were founded in 1967 and have 52 years in the destruction business, granting us an unparalleled depth of experience. Document and media destruction is our ONLY business and we are 100% focused on improvements.

When you purchase a system from SEM, you can feel confident you will receive the quality and support you’ve come to expect from us. The sales team at SEM hold integrity above financial gain and are always willing to go the extra mile. Our clients, many of whom are repeat customers, are among an elite group of security professionals in the government as well as the civilian sectors who have used our machines in various offices and locations worldwide. When moving to a new location and they need a new destruction device, they inevitably contact SEM – and that’s the best testimonial you can have.

Why do we have so many long term relationships? Value: you will get the quality you expect. Convenience: it does what we say it will do. Customer support: we will be here to help you through the life of your machine. Service: our dedicated service department is ready to assist at a moments notice.

Most importantly, SEM has the expertise and the knowledge base to meet or exceed your expectations as well as the most knowledgeable sales team in the business with the highest integrity to solve your destruction problems.

Destroying Metal Credit Cards – What’s the Difference?

March 8, 2019 at 6:40 pm by Paul Falcone

Destroying Metal Credit Cards – What’s the Difference?

Metal credit cards are becoming more and more common in today’s high tech environment. Originally reserved for the well-off, these flashy cards have become almost commonplace. Although they often offer the same functionality and benefits as their plastic counterparts, they all come with what’s called the “plunk factor”. Their heavier, sleek design and luxurious feel get you noticed when you plunk them down to pick up the check. However, this plunk factor gives the cards an added density and thickness that means they sometimes need to be destroyed differently than their plastic counterparts.

Metal-Credit-Cards

More Durable. More Information.

Increases in cybersecurity awareness and data breaches have led to a greater demand for better and more secure solutions to control credit information. The need to be able to destroy these heavier more durable cards has become more important than ever, with customers and companies alike looking for the safest and securest way to do so.

Metal cards today can be produced with brass, copper, stainless steel, and even composite mixes of metal and plastic. While data used to just be stored on the print and magnetic strip on a credit card, the push for more security has seen most major card producers add a chip that also stores sensitive information. So we have more durable cards with even more areas with sensitive data on it – data and information that can still be accessed even with the card has expired.

How to Destroy: Shred or Disintegrate?

When it comes time to dispose of metal credit cards either due to expiration or possible fraud, credit card issuers will offer to send customers a pre-paid envelope to send cards back for destruction. Once returned, the credit card company is responsible for recycling or destroying the cards. The PCI Security Standards Council guideline for destruction is to destroy credit cards by “shredding or grinding such that the resulting material cannot be reconstructed”.

One method of destruction is with a heavy duty shredder capable of accepting different types of media including paper, CDs, credit cards, staples, and paper clips. The SEM model F65 cross-cut shredder with a capacity of up to 65 sheets per pass can be used for light volume of metal credit card shredding. It can effectively shred these cards into strips similar to shredded paper strips. Once shredded, there is little chance any of the information on the card can be accessed.

Shredded-Metal-Credit-Card

Another method of destruction for metal credit cards is with a disintegrator.  These machines use rotary knife mill technology to destroy a variety of bulk material.  A disintegrator can shred larger volumes of metal cards at higher capacities and can also be customized to shred to a specific particle size.  Available with larger horsepower motors and customizable particle sizing screens, disintegrators like the SEM Model 1012 are designed to be used in multiple applications where secure destruction at higher capacities is needed.   Disintegrators offer greater assurance that the data bearing elements (magnetic strips and chips) are destroyed so that the information stored on them is no longer accessible.

Deciding between a shredder or a disintegrator can seem challenging.  The proper solution should be based on the needs of the application.  Material being destroyed, desired volume and throughput, particle size, and power requirements are all important factors to consider when selecting a destruction device. SEM has experience working with several different credit card manufacturers and various credit card types. If you would like to send us samples of the cards you need destroyed or want to visit us in person to view our capabilities, SEM is here to work with you to ensure your needs are met.