Most office buildings have some form of entrance control, such as door locks, burglar alarms, swipe cards or ID badges, and there may even be security guards and sophisticated CCTV camera surveillance. Yet many organisations don't spend anywhere near as much time and money ensuring data is disposed of securely when it leaves the building.
Unshredded paper documents left outside for collection by the dustbin men, for example, can be pilfered for identity theft, corporate fraud and industrial espionage purposes.
Not only does this represent a significant business risk, but any organisation that doesn't shred sensitive personal data in accordance with a corporate shredding policy could also be in breach of the Data Protection Act's Seventh Principle, which states that appropriate technical and organizational measures must be taken to protect personal data. In the list of security controls to be considered it asks, "Is printed material disposed of securely, for example by shredding?" Failure to comply with the DPA is a criminal offence, so it's important to have a shredder.
The three main types of shredders for confidential document destruction are strip cut, cross cut and crypto cut. Strip cut cuts paper into long parallel lengths. The length of the strips will tend to be as long as the type of paper that you're shredding;, for example, a sheet of A4 paper comes out as parallel strips 297 mm long. The main advantages of strip-cut shredders are that they are cheaper than other types of shredders and can usually shred more sheets of paper per pass. However, with a little patience, an attacker could reconstruct a strip-cut document; for most offices, only those that cut paper into 2 mm strips should be used.
The cutting cylinders of a cross-cut shredder not only cut the paper lengthways, but also widthways, producing small particles that look like confetti. Depending on the model of shredder, a single A4 sheet of paper is turned into between 300 and 1500 tiny pieces. This obviously makes it a lot lot harder for anyone to read what was on the shredded document. Also, the waste shreds compact better into a waste than strip-cut shreds -- up to five times as many cross-cut bits can fit in a bin as strip-cut shreds -- meaning that the shredder has to be emptied less frequently, and requires fewer waste bags. Cross-cut shredders generally meet the DIN 32757 (Deutsches Institut für Normung/German Institute for Standardization) standard Level 4, with a maximum particle size of 2 x 15 mm, so are suitable for confidential and commercially sensitive information.
For the most sensitive documents, you can opt for a crypto-cut shredder, which generally can meet DIN Level 5 or 6. A Level 5 machine will shred to a maximum particle size of 0.8 x 12 mm, while the unofficial extension of the standard, Level 6, shreds to 0.8 x 4 mm particles. Both are suitable for top secret or classified documents, turning a single piece of paper into between 1,500 and 3,000 tiny particles.
When assessing which type of shredder to buy, take into account the volume of waste -- including CDs, credit cards and similar materials -- you are likely to need to shred each day and any expected growth in the volume of paperwork your organisation creates, as the most expensive part of any shredder is the person doing the shredding. If you regularly use unusually sized documents, such as full-width continuous-feed computer paper, then check that the entry throat of the machine is wide enough to handle the required paper sizes without having to fold them, as this increases the size of the resulting particles or strips. Many shredders will also shred other types of media such as CDs, DVDs, credit cards and floppy disks. So take other shredding needs into account as well before choosing.
The resultant paper shreds can be recycled in a number of ways, such as for animal bedding, garden mulch or packaging material. You can also shred junk mail, too, and let the local council recycle it. (It is worth checking in your area, however, as some councils will not collect shredded waste if it is inside a plastic bag.)
The law requires businesses to retain certain documents for a period of time, but any documents that are no longer required should be safely shredded before they leave the building. Although it is a menial task, anyone handling sensitive documents during the shredding process will need to be fully vetted with thorough background checks. You will also need a comprehensive policy covering shredding, addressing issues such as the use of cameras, and recording what has been shredded, when and by whom.
There are, of course, many document shredding and disposal services available. When considering outsourcing the process to such a service, make sure it is at least ISO 9001 certified, and preferably ISO 27001 certified as well. As part of the service-level agreement, check that the service keeps proper audit trails, including serialised certification of destruction, and that all personnel involved in the shredding process are security screened. I would also strongly recommend you witness at least one complete process from collection to destruction, a necessary step if your organisation is ISO 27001 certified itself. These services can often securely dispose of other sensitive items such as CDs, video surveillance tapes and other computer storage media. Some will also destroy uniforms, an often overlooked item of great interest to would-be attackers.
A shredder or shredding service has become as essential for enterprise data security as the locks on doors and burglar alarms, and cuts the risk of data loss. So make sure printed material is disposed of securely.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in January 2011