advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

Secure on paper?


Brian Gouin

As with any other element of a company’s security programme, effective document security requires a combination of physical security measures, policies and procedures, and personnel. No security programme is complete or effective without some combination of these three security elements.

In today’s environment of information theft, just making sure documents are thrown in the trash is no longer an acceptable security risk. Document collection and destruction must be the cornerstone of effective document security. While some companies may destroy their own documents, for the purposes of this discussion it is assumed a company hires a document destruction contractor to perform that function.

The first phase of a document destruction security plan is to control the exit of documents. In other words, make sure the documents that require destruction actually leave the building to be destroyed rather than in regular waste or even worse in someone’s briefcase.

This is not as easily accomplished as one might think be and may never be foolproof. The first step is to develop written policies and procedures as to what constitutes a document that needs to be destroyed and in what manner the documents are collected to facilitate the destruction. These policies and procedures will certainly vary from company to company.

The second step is to have personnel adhere to and enforce the written policies and procedures. One element of this is training every company employee on how to determine what documents need to be destroyed and how to handle and collect those documents. As with any training, it needs to be ongoing.

Another element is overseeing and enforcing the policies and procedures to make sure they are being followed. In some ways that may seem like a kindergarten-style policy, but the consequences of the information falling into the wrong hands may be so severe that this oversight is the best practice.

The third step is to have physical security measures in place to help facilitate the security of the documents. These measures can include access control systems for the exterior or interior parts of the building to restrict access to documents, CCTV systems for visual identification and verification and burglar alarm systems for after hours.

For even more secure documents, RFID technology can be employed where documents are tagged and alerts are provided if the documents begin to leave the building. Strict enforcement may also include physically checking those that leave for any documents. Any physical security measures in place cannot be used in a vacuum, they require interaction with both policies and procedures and personnel.

The second phase of a document destruction security plan is evaluating and monitoring the security plan of the contractor used to destroy the documents. It would not make any sense to spend the time and money to help ensure that the documents within the building are handled and collected in the correct manner only to have them compromised after they leave but before they are destroyed. Questions should be asked and specific contractual criteria should be put in place to verify that the proper document security is implemented.

The same criteria should be used to evaluate the document security of the contractor as is used for the building itself: what combination of physical security, policies and procedures and personnel are used to form a complete and effective security programme. This should cover from the moment the documents are picked up to when they are destroyed. The company should visit the contractor to witness these security measures, read its policies and procedures and regularly monitor the security programme.

Effective document security may not completely eliminate the compromise of any document, it seems even the US federal government can’t even do that. However, it will greatly reduce the security risk of a document falling into the wrong hands.

Brian Gouin, PSP, CSC is a security consultant specializing in risk assessment, system design and project management, and author of Security Design Consulting, published by Syngress.

Read a sample chapter (PDF, opens in a new window)

Read the table of contents (PDF, opens in a new window)

This book is available from Amazon and other booksellers




 

 
Search this Site:
Google Custom Search



Click here...