Documentation needed for a data destruction audit
Posted in Blog
Are you ready for an audit? Or to defend your department in the wake of a data breach? Here are the six critical documentation steps that your auditor (or legal counsel) will expect you to provide:
1. Inventory balancing and the first step in compliance rest on the use of a scan or compare sheet. This is simply a list of all the hard drive serial numbers to be destroyed and the key to accuracy.
- Before the onsite erasure, degaussing or shredding process begins, each device is scanned and compared to the supplied lists.
- Duplicate and missing hard drives are common as are unreadable or missing serial numbers. In each case, problematic hard drives should be flagged and the onsite contact alerted to resolve the discrepancy.
- For large data destruction projects, the hardware is broken into manageable batches.
- Enterprise servers often are one serial # but have several hard drives (as add-ons). These are noted as part of the scan sheet comparison process to provide an accurate count.
- Guardian requires that the scan sheet be reviewed and signature approved by the designated onsite contact before the physical data destruction process begins.
- When serial #s match, the hard drive can be removed from inventory and marked as “destroyed.” The complete shred report with verified, scanned serial numbers is included with the Certificate of Data Destruction.
2. Detailed tracking and documentation from your erasure verification software for data sanitization that tracks and records the end-to-end process.
When drives are erased, the erasure software pulls BIOS information including make, model, ss#, memory, size, etc. of the drive. The complete erasure report with all these details is included with the Certificate of Data Destruction.
3. Before your vendor leaves the site at the end of the job, do you have a digital Certificate of Data Destruction in hand?
It is important to know that there is no certifying authority for the data destruction industry so the reputation, reporting capability and legitimacy of your data destruction vendor is paramount. Learn more about the Certificate of Destruction and what should be included to protect your data destruction jobs.
4. Do you have full reports and verification of all data destruction methods within a week of the job completion?
- This includes the PO #, date, site location, customer name, all devices, data destruction method, audit results, item serial # scan, inventory validation and reconciliation, chain of custody and any specialized compliance reports.
- Full reporting and verification of all Video monitoring for verification, an optional service, is included in the final report as cloud download links.
- If weight comparisons are included in the shred project, the before and after (with calculated loss percentage) are also included with the final report.
5. When applicable, the Certificate of Recycling is also included whether it’s shred that’s headed for melting and metal separation or the physical hardware such as end of life laptops, desktops, printers, scanners, all-in-ones, monitors, etc.
6. Many regulations govern custodial history of assets also known as chain of custody. This includes tracking all data. When you have multiple vendors or multiple locations, make sure you have Asset Transfer Forms that fully document any transfer of materials for destruction (specific location and date), the date the information was collected, the date the information ceased to exist, quantities, shipping method and custodial names at each stage. In other words, it’s a signed, official document that states “we are removing these devices from your location with your permission to our location to do whatever we’ve been contracted for (shred, erasure, recycling) including all peripherals (mice, keyboards, office devices, cables, etc.).
Until now you may have thought that all data destruction service providers are the same. If your current vendor isn’t NAID AAA-certified or providing all these services (and more), read this checklist “How to select a gold-standard data destruction provider” or reach out to us. We can talk about your documentation concerns so that you’re confident and prepared if there ever is an audit or reported data breach.
The Guardian Data Destruction goal is simple: complete, absolute, compliant data destruction to protect you, your company, your brand.
We also recommned
National Computer Security Day is about everyday data privacy and client confidentiality
Most companies don’t think about their data privacy and data destruction as part of asset disposition until something goes wrong. Learn how to make data security a part of every day not just National Computer Security Day.
Thanksgiving 2021 from the Guardian kitchen
Annual Thanksgiving 2021 message from Glenn Laga
Data privacy – how does it affect IT asset disposition and destruction?
An overview of corporate IT data disposition policies and compliance that vary based on industry sector, state, country and tolerance for risk.
Stay in the know
Get relevant information right in your inbox
We do not sell or share your information with anyone