1. Implement a document management program. This falls in the category of “identify your treasures.” Make a list of the different types of documents you need to keep – invoices, receipts, contracts, etc. Next determine who needs access to these documents in order to do their job. Identify security measures needed to maintain privacy of the data. Lastly, train all employees on responsible information-handling. Many certifications like PCI and Red Flag require this secure document management training to be compliant.
2. Implement a document retention schedule. Building on #1, you should identify how long each type of document should be kept. Have a procedure to remove expired documents from storage and destroy them securely. If you process a large volume of documents, consider contracting the shredding to a trusted third-party.
3. Regularly shred sensitive documents. For documents that do not need to be retained, provide storage containers in convenient locations for documents that need to be shredded and have them emptied regularly. Make destruction rules simple on employees – when in doubt, shred it.
4. Keep documents securely offsite. This requirement should be balanced by the document management program. For documents that must be stored but are not required for frequent business processes consider storing them offsite. If you have a small amount of documents, a safe-deposit box might suffice. For larger amounts of documents, consider off-site data storage companies like those used for tape backup and disaster recovery services.
5. Limit acquisition of confidential customer data. If information is not integral to the business process, see if you can limit your exposure by not asking for the information. Once you have it, you are responsible for securing it. Follow a need-to-know policy on release of private customer data to employees.
6. Use password protection. Most document formats that can be password protected can also be cracked easily. So you must consider document password protection as a simple deterrent. Instead consider disk based encryption like TrueCrypt for file storage and PGP for files that have to be emailed.
7. Install and update virus protection software. They refer to this software as virus protection software, but make sure your software protects against all forms of malware and not just viruses. I personally like Microsoft Security Essentials due to its price point, its light footprint, and its effectiveness. Keeping anti-malware software up-to-date is a good first line defense, but does not replace security awareness training.
8. Clear data before disposing of old computers. We consider this process to be instrumental to a good security program (surprise, surprise). Use data destruction software like Blancco, dBan, or KillDisk to ensure that no data can be recovered from your machines after you are done with them. If you contract this service out, here are 5 questions you should ask a data-destruction company. As smartphones like Blackberries and the iPhone get used by companies in larger numbers, do not forget about wiping them as well.
9. Review company credit card statements. Corporate credit accounts can be compromised as easily as consumer ones. Make sure your security program includes a review of credit card billing for fraudulent charges.
10. Limit use of file sharing programs. File sharing programs can be a breeding ground for malware, and if used inappropriately can be a mechanism to expose business data. Using tools like Spiceworks you can easily generate reports to see exactly where a particular program is installed.

In general, if you don’t need it, don’t store it. If you aren’t sure, don’t store it and ask the customer for it when needed.

Cintas Issues Top 10 Tips for Protecting Business Data in Honor of Data Privacy Day

Related posts:

1. Stimulus Bill significantly modifies HIPAA regulations Buried within the huge American Recovery and Reinvestment Act (a.k.a,...
2. 5 Questions to ask your Data Destruction Company When you replace your computers, what happens to the data...
3. Data Destruction: Is One Pass Overwriting Enough? There is some controversy regarding data destruction in the IT...

If you choose to outsource data destruction services, how can you be sure they handle your data with the same care as you would? Here are a few questions to ask:

What methods of data destruction do you provide?

This question is more for your education than anything else. There are many different forms of data destruction. First is do they use software or physical destruction methods. On the software side there are many different algorithms, from single pass, 3 pass, 7 pass, Secure Erase. The NIST states that a single pass is sufficient for most drives, but 3 pass tends to be the standard.

On the physical destruction side, there is degaussing, drilling, shredding, or hitting it with a hammer. If they use drilling, ask how many holes they drill into the platters. If they only do 1 or 2, be wary that it is theoretically possible to retrieve portions of the drive using an electron microscope. Our perferred method is shredding. Unlike degaussing, you can easily tell if the drive has been destroyed, and it doesn’t have the safety issues of hitting it with a hammer or drilling.

What do you do with failed drives?

When using software overwriting techniques, not every drive will be able to wipe 100%. Remapped sectors and bad sectors can still have data in them. At what point does the company consider a drive failed, and what do they do when it fails? Do they attempt to wipe it again? Do they inspect the drive for data remnants? Do they physically destroy the drive?

What reporting options are available?

The company providing the data destruction services should provide some form of certification of data destruction, but what does that certificate say? Does it merely indicate that they destroyed some data? Can the certificate be tied back to a particular asset? Preferably back to an asset tag you can track through your own inventory management systems?

Do you have any outside certification?

Has their process been inspected and verified by an independent body? Have drives destroyed by the company been inspected by data recovery firms? Common certifications are the NAID AAA certification, and we are starting to see requests for certification under the PCI / DSS rules. If a company has not been certified, be wary of their data security processes. Even if they have been certified, ask if they will let you tour the facility and see the processes for yourself.

What do you do with e-waste?

No matter how a company destroys data, there will be some electronic waste generated. What do they do to ensure that this waste does not end up in landfills? Do they partner with a recycling firm? Do they recycle the electronic waste themselves?

Related posts:

1. Data Destruction: Is One Pass Overwriting Enough? There is some controversy regarding data destruction in the IT...
2. 10 Tips for Protecting Business Data How do you protect confidential business data? Here are 10...
3. Buy a used hard drive on eBay, get government secrets for free! Imagine it, you purchased a computer on eBay, plug it...