www.canadiansecuritymag.com

News Data Security
Shred it forward

Whether it’s done in-house or outsourced, when it comes to forming a thorough shredding policy some companies may find they haven’t gone far enough to make sure the documents they want destroyed are securely disposed of in an efficient manner.



February 3, 2009
By Jennifer Brown


Topics

Many companies are moving to a shred-all policy, but that can become an
expensive proposition when things like newspapers and pizza boxes also
end up in the mix. While the “better safe than sorry” approach is
considered best, a blanket policy is expensive. Shredding everything
from last year’s draft budget documents to the paper and napkins from
the cafeteria can take up a lot of resources.

“We want people to understand what’s confidential and what’s not and do
that assessment themselves. Then the hard part is getting people to
comply,” says Derek Knights, Director, Investigative Services for Sun
Life
, who has worked for a number of companies that have developed
strict document disposal policies.

When it comes to the basics of choosing an outsourced provider of
document destruction, there are some fundamental rules that apply, such
as insisting the outsourcer’s staff have undergone criminal background
checks and that they run a secure facility that they will let you
inspect the premises at any time along with their transport trucks.

According to Oakville, Ont.-based Shred-it, which provides onsite
document destruction, their client base ranges in size from small
organizations with a handful of employees to large companies employing
more than 100,000.

“For small and medium-sized businesses, we can offer a real cost
savings and it’s more secure than having one of their employees
standing at a shredder which can also mean lost productivity when their
time could be better used elsewhere,” says president and CEO Rob
Warshauer. “Also, do you want that employee looking at documents you
deem confidential, or do you want to err on the side of caution?”

When confidential waste is on board, the contractor’s truck must be
locked and physically secure to a standard acceptable to you and only
authorized individuals may have access to the confidential waste on
board the truck.

“We want to know the organization has a secure facility and we want the
right to inspect all of it when we want. The onsite shredding has to
permit that one of our people can oversee it and that the bins are
completely emptied. The hard part is getting people to understand
what’s confidential and needs to be shredded and what can be recycled,”
says Knights.

If you’re outsourcing the task, it’s also important to know what
requirements to include in the agreement. At the top of the list should
be the requirement that the company has done background checks and
established a secure process for the handling of documents to be
destroyed.

“It’s the confidentiality of the information that’s at issue, not the
specific task,” says Knights. “If someone is in charge of taking
documents that need to be shredded and they take them to the loading
dock to give to the shredding company and they leave the documents and
the boxes sit there until the shredding guy comes, you have to make
sure someone is supervising that process. It’s like maintaining
continuity of evidence,” says Knights.

Warshauer says appropriate background checks are done on Shred-it employees.

“We do significant background checks of driver’s licence and make sure
everybody is bondable. Our employees also see so many bags of documents
a day it’s not really an issue; they just want to move on to the next
customer.”


Checklist for shredding equipment used in-house

Avoid strip cutters: Strip cut shredders produce strips that form neat
layers in the shred bag, and are easily re-assembled. A good quality
crosscut or particle shredder (sometimes called a “confetti shredder”)
must be used.

Residue size: For most companies the residue particles produced by the
crosscut or particle shredder should be no larger than 5/32” x 1-1/8”
(5/32” x 2” is minimally acceptable, for personal shredders).  For

higher-grades of security, shredders producing smaller sized particles
are needed.

Type of use and shred capacity: Desktop shredders can usually shred
only a few pages at a time and are not terribly robust over the long
term. For high volumes of confidential documents, or for multiple
users, a department shredder is required. For shared departments,
consider a model that can shred at least 12 pages at a time.

Maintenance: A good supply of shredder oil should be kept near the
shredder.  Shredders need frequent lubrication to remain serviceable.
If not adequately lubricated, jams often result, or more serious
mechanical malfunctions that require vendor maintenance. A maintenance
contract or arrangement with the vendor or local service provider is
needed. People often try to put too many sheets into the shredder at
once, causing jams and breakdowns, so timely maintenance support is
needed.


For contracted shredding services

Confidentiality and non-disclosure: The contractor must take full
responsibility for the confidential information while in its possession
and for any failure to keep the information confidential. There should
also be a written contract that contains strong confidentiality
provisions, and obligating the contractor to not employ convicted
felons or other untrustworthy persons to do the shredding or have
access to unshredded confidential material. The contractor’s employees
should be have passed a criminal records background check.

Sub-contracting: Check to make sure the contractor is not sub-contracting the work to any other company or person.

Shred waste containers: If the contractor provides lockable shred waste
containers for your workplace, they must use good quality locks (i.e.
not ordinary office cabinet locks) and your company must have control
of all the keys.  The manager responsible for physical security of the
facility should control the keys.

Proof of destruction: The contractor must provide written certification
confirming the destruction of each load confidential waste destroyed.

Shred on-site whenever possible: Shredding should occur on-site (i.e.
on board the contractor’s truck parked at the company facility), not at
an off-site location.

Get a witness: Make sure someone from your company witnesses the entire
shredding process on-board the contractor’s truck, and insist that your
company have the ability to inspect the residue to confirm proper
destruction. No one other than an authorized company or contractor
employee should be permitted to board the truck or to have access to
confidential waste prior to destruction.

Off-site shredding requirements

If shredding is to occur at a contractor’s off-site location, then the contract must include the following requirements:

Security of shredding contractor’s truck: When confidential waste is on
board, the contractor’s truck must be locked and physically secure to a
standard established by you. Only authorized persons may have access to
the confidential waste on board the outsourcer’s truck.

Transportation route and security: The contractor’s truck should
transport the loads of confidential waste directly from your facility
to the contractor’s off-site destruction facility, without stopping or
picking up loads from other clients. If this is not possible, then the
truck must be physically secured at any stopover locations, and only
authorized persons shall be permitted to board the truck or have access
to confidential waste.


Print this page

Related



Leave a Reply

Your email address will not be published. Required fields are marked *

*