Classification Breakdown: Match Your Data to Its Destruction Method

December 11, 2020 at 8:15 am by Amanda Canale

In the age of social media, it’s quite normal for many people to put their entire lives online. Whether it’s someone spilling all of their secrets in forms of podcasts, vlogs, and blogs or sharing too much about their assets and wealth in an Instagram post, it doesn’t seem like there is much that isn’t shared with the world wide web.

However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially when it pertains to our National Security. Let’s break down all of the different levels of information out there and the varying security classifications applied in order to properly identify and safeguard this information.

Top Secret information (TS)

Top Secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.

When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to securely destroy this information? To ensure the highest security data destruction, the federal government requires that classified data only be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. You can find more information about NSA-mandated destruction of storage devices here.

Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA listed paper shredders, disintegrators, degaussers, and IT crushers are fully equipped to securely destroy all of your end-of-life data.

Sensitive Compartmented Information (SCI) and Special Access Program (SAP)

Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information that is controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a Top Secret (TS) clearance.  This information ranges from intelligence sources and methods to analytical processing and targeting, as well as information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL listed devices.

nsa-listed-paper-shredder

Communication Security (COMSEC)

Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, meaning using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security, and the physical security of COMSEC material.

information-destruction

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies, and regulations.

On November 4, 2010, the Executive Order 13556 “Controlled Unclassified Information” was established to create transparency throughout the federal government and non-government stakeholders as previous characterizations of sensitive but unclassified information (SBU) was not always consistent. This classification process standardizes these practices across over 100 different government departments and agencies, ranging from state and local, to tribal and private sectors. The Order also mandated that end-of-life media must be destroyed to NIST 800-88 specifications. For paper, this specification is a 1mm x 5mm particle size, which is the same as for classified information.

Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration, and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.

Personally Identifiable Information (PII)

Personally Identifiable information (PII) is any kind of information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.

SOX Act

The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs, and other specific information are all personally identifiable.

While data breaches should always be taken seriously, a breach of this kind of information can put the exposed people at an extremely high risk of identity theft and fraud. Take for example, the recent security breach at financial institution, Morgan Stanley. The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ PII. You can read more about our thoughts on this breach here.

Personal Health Information (PHI)

Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.

PHI is an umbrella term given to any kind of health information that is dated, received, transmitted, or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates in relation to healthcare operations and payment. This information ranges from Social Security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.

Whether you’re looking to destroy personally identifiable, controlled unclassified, or top secret information, it is always best practice to follow data sanitization mandates. At SEM, we have wide array of high-quality end-of-life data destruction devices that not only meet NSA/CSS specifications, but are on the NSA/CSS Evaluated Products List, and follow the Controlled Unclassified Information (CUI) Executive Order.

Any one of our exceptional sales team members are more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.

Paper: It’s Here to Stay and It’s Loaded with Sensitive Data

August 12, 2019 at 1:56 pm by Paul Falcone

It’s quite ironic that in the digital age, there is still so much paper being used.

True, more and more organizations have “gone paperless,” whether it’s eStatements from your bank or the option for emailed receipts from retailers. And when you think about it, when was the last time you received a paper gift certificate, or flipped through a White Pages book to find someone’s contact information? (It’s probably been a while.)

Yet, there is still a plethora of paper out there, and even more so containing sensitive or otherwise private information. From mailed credit card offers and office correspondence, to business contracts, building blueprints and legal documentation. Medical records, birth certificates and social security cards are all printed on paper, as are government passports, all of which will likely not be issued in digital-only formats anytime soon. Even engineering plans for nuclear missiles are first presented on paper.

Our society operates with a literal paper trail that can be traced throughout our everyday transactions, which means we must take steps to ensure the protection of any personal, private and/or sensitive information that’s contained within it.nsa-listed-paper-shredder

Why It’s Crucial to Properly Dispose of Paper with Sensitive Data

Whether federal or personal, most types of paper documentation include what the government calls CUI, or, Controlled Unclassified Information. PII (Personally Identifiable Information) is one example of CUI on the consumer level. Unclassified government data such as those marked For Official Use Only (FOUO) or Sensitive But Unclassified (SBU) are considered CUI, as is any and all unclassified information throughout the Executive branch that requires safeguarding and dissemination control. CUI also covers nearly all government agencies as it relates to information for critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax and transportation documentation.

When documents containing CUI face end-of-life and need to be disposed of, it’s therefore critical to take the proper destruction measures for both the data and the media, to render the sensitive information unreadable, indecipherable and irrecoverable by any means.

For paper containing government-related CUI, the data destruction must follow NIST SP 800-88 standards. NIST SP 800-88 stipulates a 1mmx5mm or less final particle size for paper media (this is the same standard required by the NSA for classified information that’s reached end-of-life). This includes PII contained in a government document.

And although PII contained in non-government documentation does not require the same data destruction standards, it should still be treated with the same care and precision. If the documentation is to be shredded, the paper should be cross-cut—not strip-cut. Remember the Iran hostage crisis of 1979? (You know the one, when 52 American diplomats and citizens at the US Embassy in Tehran were held hostage for over a year by Iranian supporters of the Iranian Revolution.) During the hostage crisis, the Iranian hostage-takers gathered the strip-cut remains of shredded US intelligence reports and operational accounts and spent years painstakingly—and successfully—putting the shredded pieces back together. The sensitive data contained in the documents was made decipherable and readable, posing a major threat to the US government and our society.

cutting-shaft-p4
Paper shredded to a P-4 particle size.

To ensure something like that does not happen to any of your documentation with sensitive data that reaches end-of-life, you should follow DIN Standard 66399 for data destruction. DIN Standard 66399, in this case Material Classification P, refers to information presented in its original size, such as on paper. Within this DIN Standard, there are further levels of security ranging from P-1 (ideal for data carriers with general data) to P-7 (for data carriers with top secret information and the strictest security standards). Level P-4 is recommended for most non-government PII covered under HIPAA, FACTA, FISMA, PIPEDA, SOX and even GDPR regulations.Under P-4 standards, the maximum cross-cut particle surface area is 160mm² with a maximum strip width of 6mm, or 6x25mm or less final particle size. Shredded data at this size can only be reproduced using equipment that is not readily available commercially. Therefore, the P-4 shredding standard is safe to use for non-government-related documentation, such as those containing PII.

A Note on Data Destruction Machines

Paper documentation containing CUI that’s reached its end-of-life should either be incinerated or shredded with the correct destruction machinery. Be sure to look for signage or other indicators on the machine to inform you of whether it has been approved for CUI destruction. These machines should also be listed under the NSA/CSS 02-01- EPL for classified paper destruction.

All of SEM’s high-security shredders meet the NSA/CSS mandate. SEM also offers several cross-cut paper shredders for Unclassified paper destruction which meet the DIN Standard 66399 Level P-4. These machines are suitable for commercial, non-government paper shredding or Unclassified non-Executive branch shredding and can be viewed here.