Indeed, how is data security being executed when you hand over IT assets for disposition? After all, you’re entrusting your data and your reputation to an outside service provider.
Data security is an essential part of IT asset management– even for end-of-life equipment. At Guardian, we believe that data security is paramount for onsite data destruction services like hard drive shredding and erasure. Other services such as enterprise site decommissioning, data center moves and the transport of live data also need a secure chain of custody. Data security processes are also built into any service that we provide in our warehouse (including storage) and our office activities.
So, what secure data destruction policies should your providers have in place to assure you of data security and data privacy? In addition to a sterling industry reputation, a continuous training program, clear chain of custody protocol, certifications and processes, vendors should have written guidelines and hard rules for their employees and subcontractors that ensure the confidentiality, integrity and security of all data-bearing devices in their custody.
Rules of Confidentiality for secure data destruction
- Any and all customer information must be kept private
- Data is always more valuable than the equipment
- No posting on social media any comments or pictures that might show customer information/name/location
- Onsite laptops and devices must be password-protected at startup
Rules of Integrity for secure data destruction
- Records, reports and communication will be intact, accurate, complete, timely and responsive
- IT systems must be kept operational and up to date
- Communication must be be transparent and honest
- Maintenance of highest levels of industry requirements and training
- Adherence to all NAID AAA Certification standards
- Accountability and consistency are paramount
- Planning is built into every project
- Changes and difficulties are met with flexibility and responsiveness without jeopardizing data security or project objectives
- Project records, certificates and reports are produced within days to ensure compliance and accountability
Rules for Secure Onsite Data Destruction
- Technicians must wear uniforms and be professional and courteous at all times
- Technicians must carry their company ID as well as a government-issued ID
- Technicians must be trained in the specific service that they are performing (hard drive shredding, hard drive wiping, packing and shipping, data center/enterprise services, more)
- No personal cell phone use during project hours (with the exception of project leads)
- All employees must follow SOW and communicate any changes including found equipment not on the verification list and/or failed drives (erasure)
- Only Authorized Access Employees are allowed to facilitate onsite hard drive shredding and wiping operations
- Secure bins must be locked for in-building transport to the shred truck location
- Data captured by barcode scanners in a secure area and must be saved directly onto a secure, company-issued laptop
- Scanned items must be placed inside secure bins All paperwork with customer information must be kept in a backpack or secure binder and within visual range at all times in the secure area
- No unauthorized persons can be within the parameter of any shredding equipment (including inside a Shred Truck or Mobile Lab) unless the shredder is powered off
- Data destruction equipment should be tested, verified and certified by the manufacturer or third party annually
Rules of Security Escalation
- If you see something, say something
- Report any concerns to the direct supervisor immediately
- Clean and inspec all equipment and surrounding area at job completion
Data Destruction is the last line of defense
The singular objective of data destruction is to protect the customer by preserving data privacy. Like every other vendor, data destruction service providers must be committed to continuous training, high levels of communication and engagement and strict adherence to procedures that are designed for safety and security.
For questions about the optimal processes and “rules” designed to protect your data, reputation and clients, reach out to Guardian. We’d be delighted to talk to you about our deep commitment to regulatory, industry and corporate standards as part of your IT asset disposition plan. Our goal–ALWAYS–is to ensure the secure, compliant and absolute satisfaction of every data-handling job. Any size. Any device. Anywhere.
