Over the past few years, data retention has become a
critical issue for corporations as they take steps to comply with complicated
legislation—particularly, the Sarbanes-Oxley Act.
While companies obsess over the retention requirements and boost their
storage capabilities, there seems to be a tendency to ignore the flip side
of the coin: data destruction.

What happens when your data has finally served its purpose?
Sooner or later, you’ll need to clean out those storage devices and free up
some space. In previous articles, I’ve discussed how to erase old hardware
and wipe data from
Cisco routers and switches before discarding them. But these aren’t the
only devices on which data resides.

How much data do you think your organization has lying
around in old file cabinets or long-forgotten CDs? When it comes to old media, don’t
throw it away—destroy it! By destroying any media that the organization no
longer needs, you deny data thieves access to corporate secrets.

In June, the U.S. Federal Trade Commission enacted
legislation called the Fair
and Accurate Credit Transactions Act of 2003 (FACTA). FACTA targets consumer information, such as the type
that credit agencies and lenders collect—in hopes of fighting the growing
epidemic of identity theft. However, it’s a good idea to incorporate the
principles of this law throughout your company as a best practice for media destruction.

FACTA requires “disposal practices that are reasonable
and appropriate to prevent the unauthorized access to—or use of—information in
a consumer report.” But think about this in broader terms: The end result
of all data destruction should be to deny unauthorized access to any information.

Of course, the method of destruction varies depending on the
type of media in question. Let’s look at some of the most common media types
and the destruction method for each.

Paper

When it comes to policy and practice, companies often
overlook paper as a form of media. However, it’s vital to include this category
in your overall data destruction strategy.

Stop throwing away reports and sticky notes, and start
destroying them. Take steps to destroy all documents and handwritten notes
produced as a part of your business as soon as they are no longer necessary to
your business. The most common approach for complying with HIPAA and FACTA regulations
is cross-cut shredding that yields a paper fragment of 1mm by 5mm.

CD-ROMs and DVDs

Almost every business produces CD-ROMs or DVDs, either for
distribution to its clients or for internal data storage and portability. If
you no longer need the information stored on that media or if you move the
information to a different form of storage media, make sure you destroy the CD-ROMs
or DVDs.

Several acceptable methods exist for the destruction of this
type of media. Options include breaking the disks, cutting them up with
scissors, and even a specialized machine that shreds CD-ROMs and DVDs.

Floppy disks and tape

By design, magnetic media such as floppy disks and tapes are
easy to erase and write to many times. Erase the media with one of the freely
available programs that formats and writes 0s and 1s in a random pattern. When
you’re finished with formatting and overwriting, use scissors to cut the media
and render it useless to prying eyes.

USB drives

These days, almost everyone
has a USB drive that holds anywhere from 32 MB to a GB or more. These
devices are reusable, and many keep using them until they no longer function.
If you do need to destroy one of these devices and can’t reformat it, just
break the device in half. That will render the device unusable to someone who finds
it in the trash.

Final thoughts

When implementing a data destruction policy for your
organization, keep in mind that you need to balance the risk of disclosure with
the cost of destruction. (I intentionally didn’t cover hard drives in this article,
because hard drive destruction and destroying
information on a hard drive is a totally different issue from portable
media.)

In addition, remember that if the data is valuable enough,
someone might go to extraordinary lengths to recover that information.
Regardless of the value of the data or the method you use to destroy your
media, the end result should be to completely deny unauthorized access to the
data.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.