Tag: blog

The Critical Imperative of Data Center Physical Security

September 12, 2023 at 8:00 am by Amanda Canale

In our data-driven world, data centers serve as the backbone of the digital revolution. They house an immense amount of sensitive information critical to organizations, ranging from financial records to personal data. Ensuring the physical security of data centers is of paramount importance. After all, a data center’s physical property is the first level of security. By meeting the ever-evolving security mandates and controlling access to the premises, while maintaining and documenting a chain of custody during data decommissioning, data centers ensure that only authorized personnel have the privilege to interact with and access systems and their sensitive information.

Levels of Security Within Data Centers

Before any discussion on physical security best practices for data centers can begin, it’s important to think of data center security as a multi-layered endeavor, with each level meticulously designed to strengthen the protection of data against potential breaches and unauthorized access. 

Data centers with multi-level security measures, like Google and their six levels of data center security, represent the pinnacle of data infrastructure sophistication. These facilities are designed to provide an exceptional level of reliability and high security, offering the utmost advances in modern day security, ensuring data remains available, secure, and accessible. 

Below we have briefly broken down each security level to offer an inside peek at Google’s advanced security levels and best practices, as they serve as a great framework for data centers. 

  • Level 1: Physical property surrounding the facility, including gates, fences, and other more significant forms of defenses.
  • Level 2: Secure perimeter, complete with 24/7 security staff, smart fencing, surveillance cameras, and other perimeter defense systems.
  • Level 3: Data center entry is only accessible with a combination of company-issued ID badges, iris and facial scans, and other identification-confirming methods.
  • Level 4: The security operations center (SOC) houses the facility’s entire surveillance and monitoring systems and is typically managed by a select group of security personnel.
  • Level 5: The data center floor only allows access to a small percentage of facility staff, typically made up solely of engineers and technicians.
  • Level 6: Secure, in-house data destruction happens in the final level and serves as the end-of-life data’s final stop in its chain of custody. In this level, there is typically a secure two-way access system to ensure all end-of-life data is properly destroyed, does not leave the facility, and is only handled by staff with the highest level of clearance.

As technology continues to advance, we can expect data centers to evolve further, setting new, intricate, and more secure standards for data management in the digital age.

Now that you have this general overview of best practices, let’s dive deeper.

Key Elements of Data Center Physical Security

Effective data center physical security involves a combination of policies, procedures, and technologies. Let’s focus on five main elements today:

  • Physical barriers
  • Surveillance and monitoring
  • Access controls and visitor management
  • Environmental controls
  • Secure in-house data decommissioning
Physical Barriers

Regardless of the type of data center and industry, the first level of security is the physical property boundaries surrounding the facility. These property boundaries can range widely but typically include a cocktail of signage, fencing, reinforced doors, walls, and other significant forms of perimeter defenses that are meant to deter, discourage, or delay any unauthorized entry.  

Physical security within data centers is not a mere addendum to cybersecurity; it is an integral component in ensuring the continued operation, reputation, and success of the organizations that rely on your data center to safeguard their most valuable assets.

Surveillance and Monitoring

Data centers store vast amounts of sensitive information, making them prime targets for cybercriminals and physical intruders. Surveillance and monitoring systems are the vigilant watchdogs of data centers and act as a critical line of defense against unauthorized access. High-definition surveillance and CCTV cameras, alarm systems, and motion detectors work in harmony to help deter potential threats and provide real-time alerts, enabling prompt action to mitigate security breaches.

Access Controls and Visitor Management

Not all entrants are employees or authorized visitors. Access controls go hand-in-hand with surveillance and monitoring; both methods ensure that only authorized personnel can enter the facility. Control methods include biometric authentication, key cards, PINs, and other secure methods that help verify the identity of individuals seeking entry. These controls, paired with visitor management systems, allow facilities to control who may enter the facility, and allows staff to maintain logs and escort policies to track the movements of guests and service personnel. These efforts minimize the risk of unauthorized access, and by preventing unauthorized access, access controls significantly reduce the risk of security breaches.

Under the umbrella of access controls and visitor management is another crucial step in ensuring that only authorized persons have access to the data: assigning and maintaining a chain of custody. 

But what exactly is a chain of custody?

A chain of custody is a documented trail that meticulously records the handling, movement, and access, and activity to data. In the context of data centers, it refers to the tracking and documenting of data assets as they move within the facility, and throughout their lifecycle. A robust chain of custody ensures that data is always handled only by authorized personnel. Every interaction with the data, whether it’s during maintenance, migration, backup, or destruction, is documented. This transparency greatly reduces the risk of unauthorized access or tampering, enhancing overall data security and helps maintain data integrity, security, and compliance with regulations.

Environmental Controls

Within the walls of data centers, a crucial aspect of safeguarding your digital assets lies in environmental controls, so facilities must not only fend off human threats but environmental hazards, as well. As unpredictable as fires, floods, and extreme temperatures can be, data centers must implement robust environmental control systems as they are essential in preventing equipment damage and data loss. 

Environmental control systems include, but are not limited to:

  • Advanced fire suppression systems to extinguish fires quickly while minimizing damage to both equipment and data.
  • Uninterruptible power supplies (UPS) and generators ensure continuous operation even in the face of electrical disruptions.
  • Advanced air filtration and purification systems mitigate dust and contaminants that can harm your equipment, keeping your servers and equipment uncompromised. 
  • Leak detection systems are crucial for any data center. They are designed to identify even the smallest amount of leaks and trigger immediate responses to prevent further damage.

These systems are the unsung heroes, ensuring the optimal conditions for your data to (securely) thrive and seamlessly integrate with physical security measures.

In-House Data Decommissioning

While there’s often a strong emphasis on data collection and storage (rightfully so), an equally vital aspect in data center security is often overlooked—data decommissioning. In-house data decommissioning is the process of securely and responsibly disposing of any data considered “end-of-life,” ultimately empowers organizations to maintain better control over their data assets. Simply put, this translates to the physical destruction of any media that is deemed end-of-life by way of crushing for hard disk drives (HDDs), shredding for paper and solid state drives (SSDs), and more. 

When data is properly managed and disposed of, organizations can more effectively enforce data retention policies, ensuring that only relevant and up-to-date information is retained. This, in turn, leads to improved data governance and reduces the risk of unauthorized access to sensitive data.

In-house data decommissioning ensures that sensitive data is disposed of properly, reducing the risk of data leaks or breaches. It also helps organizations comply with data privacy regulations such as GDPR and HIPAA, which often require stringent secure data disposal practices.

Physical Security Compliance Regulations

We understand that not all compliance regulations are a one-size-fits-all solution for your data center’s security needs. However, the following regulations can still offer invaluable insights and a robust cybersecurity framework to follow, regardless of your specific industry or requirements. 

ISO 27001: Information Security Management System (ISMS)

ISO 27001 is an internationally recognized standard that encompasses a holistic approach to information security. This compliance regulation covers aspects such as physical security, personnel training, risk management, and incident response, ensuring a comprehensive security framework.

When it comes to physical security, ISO 27001 provides a roadmap for implementing stringent access controls, including role-based permissions, multi-factor authentication, and visitor management systems, and the implementation of surveillance systems, intrusion detection, and perimeter security. Combined, these controls help data centers ensure that only authorized personnel can enter the facility and access sensitive areas. 

Data centers that adopt ISO 27001 create a robust framework for identifying, assessing, and mitigating security risks. 

ISO 27002: Information Security, Cybersecurity, and Privacy Protection – Information Security Controls

ISO 27002 offers guidelines and best practices to help organizations establish, implement, maintain, and continually improve an information security management system, or ISMS. While ISO 27001 defines the requirements for an ISMS, ISO 27002 provides the practical controls for data centers and organizations to implement so various information security risks can be addressed. (It’s important to note that an organization can be certified in ISO 27001, but not in ISO 27002 as it simply serves as a guide. 

While ISO 27002’s focus is not solely on physical security, this comprehensive practice emphasizes the importance of conducting thorough risk assessments to identify vulnerabilities and potential threats in data centers, which can include physical threats just as much as cyber ones. Since data centers house sensitive hardware, software, and infrastructure, they are already a major target for breaches and attacks. ISO 27002 provides detailed guidelines for implementing physical security controls, including access restrictions, surveillance systems, perimeter security and vitality of biometric authentication, security badges, and restricted entry points, to prevent those attacks.

Conclusion

In an increasingly digital world where data is often considered the new currency, data centers serve as the fortresses that safeguard the invaluable assets of organizations. While we often associate data security with firewalls, encryption, and cyber threats, it’s imperative not to overlook the significance of physical security within these data fortresses. 

By assessing risks associated with physical security, environmental factors, and access controls, data center operators can take proactive measures to mitigate said risks. These measures greatly aid data centers in preventing unauthorized access, which can lead to data theft, service disruptions, and financial losses. Additionally, failing to meet compliance regulations can result in severe legal consequences and damage to an organization’s reputation.

In a perfect world, simply implementing iron-clad physical barriers and adhering to compliance regulations would completely eliminate the risk of data breaches. Unfortunately, that’s simply not the case. Both data center security and compliance encompass not only both cybersecurity and physical security, but secure data sanitization and destruction as well. The best way to achieve that level of security is with an in-house destruction plan. 

In-house data decommissioning allows organizations to implement and enforce customized security measures that align with their individual security policies and industry regulations. When data decommissioning is outsourced, there’s a risk that the third-party vendor may not handle the data with the same level of care and diligence as in-house teams would.

Throughout this blog, we’ve briefly mentioned that data centers should implement a chain of custody, especially during decommissioning. In-house data decommissioning and implementing a data chain of custody provide data centers the highest levels of control, customization, and security, making it the preferred choice for organizations that prioritize data protection, compliance, and risk mitigation. By keeping data decommissioning within their own control, organizations can ensure that their sensitive information is handled with the utmost care and security throughout its lifecycle.

At SEM, we have a wide range of data center solutions designed for you to securely destroy any and all sensitive information your data center is storing, including the SEM iWitness Media Tracking System and the Model DC-S1-3. 

The iWitness is a tool used in end-of-life data destruction to document the data’s chain of custody and a slew of crucial details during the decommissioning process. The hand-held device reports the drive’s serial number, model and manufacturer, the method of destruction and tool used, the name of the operator, date of destruction, and more, all easily exported into one CSV file. 

The DC-S1-3 is specifically designed for data centers to destroy enterprise rotational/magnetic drives and solid state drives. This state-of-the-art solution uses specially designed saw tooth hook cutters to shred those end-of-life rotational hard drives to a consistent 1.5″ particle size. This solution is available in three configurations: HDD, SSD, and a HDD/SSD Combo. The DC-S1-3 series is ideal for the shredding of HDDs, SSDs, data tapes, cell phones, smartphones, optical media, PCBs, and other related electronic storage media. 

The consequences of improper data destruction are endless, and statute of limitations don’t apply to data breaches. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment. This can in turn potentially save your data center more time and money in the long run by preventing breaches early on.

Data Centers and NIST Compliance: Why 800-53 is Just the Start

August 22, 2023 at 4:42 pm by Amanda Canale

The world of data storage has been exponentially growing for the past several years and shows no signs of slowing down. From paper to floppy disks, HDDs to SSDs, and large servers to cloud-based infrastructures, the way we store data has become increasingly intricate using the latest and greatest major technological advancements. 

As the way we store our data continues to evolve, it’s becoming increasingly vital for data centers, federal agencies, and organizations alike to implement proper and secure data cybersecurity and information security practices, and appropriate procedures for secure data sanitization and destruction. Data center compliance is essential for various reasons, primarily centered around ensuring the security, integrity, and reliability of their data and systems. By complying with industry standards and regulations, data centers can safeguard sensitive data and ensure that proper security measures are in place to prevent unauthorized access, data breaches, and cyberattacks – both while data storage devices are in use and when they reach end-of-life. 

In summary, data center compliance falls under both cybersecurity and physical security best practices, and secure data sanitization and destruction. For a data center to operate at optimal performance and security, one cannot be without the other.

When discussing data center compliance, it’s important to not leave out an important player: the National Institute of Standards and Technology (NIST). NIST is one of the most widely recognized and adopted cybersecurity frameworks, is the industry’s most comprehensive and in-depth set of framework controls, and is a non-regulatory federal agency. NIST’s mission is to educate citizens on information system security for all applications outside of national security, including industry, government, academia, and healthcare on both a national and global scale. 

Their strict and robust standards and guidelines are widely recognized and adopted by both data centers and government entities alike seeking to improve their processes, quality, and security. 

In today’s blog, I want to dive into the two most important NIST publications data centers should consistently reference and implement into their security practices: NIST 800-88 and NIST 800-53. Both standardizations help create consistency across the industry, allowing data centers to communicate and collaborate with, and more effectively protect partners, clients, and regulatory bodies. Again: cybersecurity and destruction best practices go hand-in-hand, and should be implemented as a pair in order for a data center to operate compliantly. 

Step 1: Data Center Security and Privacy Framework

NIST 800-53

NIST 800-53 provides guidelines and recommendations for selecting and specifying security and privacy controls for federal information systems and organizations. While NIST 800-53 is primarily utilized by federal agencies, its principles and controls are widely recognized and adopted as a critical resource for information security and privacy management, not only by federal agencies but also by private sector organizations, international entities, and more importantly, data centers. 

NIST 800-53 serves as a comprehensive catalog of security and privacy controls that data centers can use to design, implement, and assess the security posture of their IT systems and infrastructure, all of which are crucial in sustaining a data center. The controls are related to data protection, encryption, data retention, and data disposal, and serve as a valuable resource for data centers looking to establish intricate and well-rounded cybersecurity and information security programs. 

NIST 800-53 addresses various aspects of information security, such as access control, incident response, system and communications protection, security assessment, and more. Each control is paired with specific guidelines and implementation details. These security controls, of which there are over a thousand, are further categorized into twenty “control families” based on their common objectives. (For example, access control controls are grouped together, as are incident response controls, and so forth.) These control families cover various aspects of security, including access control, network security, system monitoring, incident response, and more, offering data centers much higher rates of uptime and ability to minimize downtime.

Since data centers often handle sensitive and valuable information, they require robust physical security measures to prevent breaches and unauthorized access. NIST 800-53 addresses physical security controls, including access controls, video surveillance, intrusion detection systems, and environmental monitoring, which are vital in protecting the data center’s infrastructure.

It’s important to mention that while NIST 800-53 provides an increasingly valuable foundation for securing data center operations, organizations may need to tailor the controls to their specific environments, risk profiles, and compliance requirements. NIST 800-53 offers a flexible framework that allows for customization to suit the unique needs of different data center operators, making it a vital and critical resource.

Step 2: Data Destruction Compliance 

NIST 800-88

First published in 2006, NIST 800-88 and its Guidelines for Media Sanitization provides guidance and regulations on how citizens can conduct the secure and proper sanitization and/or destruction of media containing sensitive, classified, and top secret information. NIST 800-88 covers various types of media, including hard drives (HDDs), solid-state drives (SSDs), magnetic tapes, optical media, and other media storage devices. NIST 800-88 has quickly become the utmost standard for the U.S. Government and has been continuously referenced in federal data privacy laws. More so, NIST 800-88 regulations have been increasingly adopted by private companies and organizations, especially data centers. The main objective is to help data centers and organizations establish proper procedures for sanitizing media before its disposal at end-of-life.

When a data center facility or section is being decommissioned, equipment such as servers, storage devices, and networking gear must be properly sanitized and disposed of. NIST 800-88’s guidelines help data center operators develop procedures to securely handle the removal and disposal of equipment without risking future data breaches 

When it comes to sanitizing media, NIST 800-88 offers three key methods:

  1. Clearing: The act of overwriting media with non-sensitive data to prevent data recovery.
  2. Purging: A more thorough and comprehensive method that will render the stored data unrecoverable using advanced technology, such as cryptographic erasure and block erasing.
  3. Destruction: The physical destruction of a storage device either by way of shredding, crushing, disintegrating, or incineration. This often includes electromagnetic degaussing, a method that produces a buildup of electrical energy to create a magnetic field that scrambles and breaks the drive’s binary code, rendering it completely inoperable. The strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard. 

However, even these methods can come with their own drawbacks. For instance: 

  1. Clearing: For sensitive, classified, or top secret information, clearing or overwriting should never serve as the sole destruction method. Overwriting is only applicable to HDDs, not SSDs or Flash, and does not fully remove the information from the drive. 
  2. Purging: Unfortunately, purging methods are highly prone to human error and are a very time-consuming process.
  3. Destruction: Once the drive has been destroyed, it cannot be reused or repurposed. However, this method provides the assurance and security that the data is fully unrecoverable, the process can take mere seconds, and there is no room for human error.

The chosen destruction and/or sanitization method depends on the sensitivity of the information on the media and the level of protection required, so it is crucial that data centers and organizations take into account the classification of information and media type, as well as the risk to confidentiality. NIST 800-88 provides valuable guidance on media sanitization practices, which are crucial for data centers to ensure the secure disposal of data-filled devices while minimizing the risk of data breaches. Proper implementation of NIST guidelines allows data center officials to protect sensitive information and maintain data security throughout the lifecycle of data center equipment.

The Importance of Verification 

NIST guidelines, specifically NIST 800-88, have become the industry standard when it comes to secure data sanitization; however, they are not as definitive as other regulatory compliances. With NIST, the responsibility of data sanitization falls onto data centers’ or an agency’s chief information officers, system security managers, and other related staff.

As discussed above, the destruction and/or sanitization method depends on the sensitivity of the information on the media and the level of protection required, so it is critical to the security of the end-of-life data that organizations discuss the matters of security categorization, media chain of custody including internal and external considerations, and the risk to confidentiality.

Regardless of the method chosen, verification is the next critical step in the destruction and sanitization process. NIST verification typically refers to the process of validating or verifying compliance with standards, guidelines, or protocols established by the data center and/or organization. By NIST 800-88 standards, verification is the process of testing the end-of-life media to see if the stored information is accessible. 

For sanitization equipment to be verified, it must be subjected to testing and certification, such as the NSA evaluation and listing, and must abide by a strict maintenance schedule. For proper sanitization, the device must be verified through a third party testing should the media be reused. However, when media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. 

Since third party testing can be impractical, time consuming, and a gateway to data breaches, we at SEM always push for the in-house sanitization and destruction of media as the only choice to ensure full sanitization of data and the only way to mitigate future risks. When destroying data in-house, companies can be positive that the data is successfully destroyed. 

Conclusion

When it comes to data center compliance and security, there is no one-stop-shop. Adhering to both NIST 800-88 and 800-53 guidelines enhances the reputation of data centers by demonstrating a commitment to data security and privacy. This can help build trust with clients, customers, and stakeholders, leading to stronger business relationships. More importantly, these guidelines are necessary when collecting, storing, using, or destroying certain data. NIST provides educational resources, training materials, and documentation that help data center staff understand security concepts and best practices, empowering data center personnel to implement effective security measures.

At SEM, we have a wide range of NSA listed and noted solutions and CUI/NIST 800-88 compliant devices designed for you to securely destroy sensitive information. After all, the consequences of improper data destruction are endless and there is no statute of limitations on data breaches. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment. Need us to craft a custom solution for your data center? You can find out more here. 

Uptime Institute’s Tier Classification: Everything You Need to Know

July 25, 2023 at 7:01 pm by Amanda Canale

Just as Security Engineered Machinery has been the global standard when it comes to high security data destruction solutions, the Uptime Institute’s Tier Classification has served as the international standard for data center performances. The classification evaluates data centers’ server hosting availability and reliability, and for the past 25 years, the Uptime Institute has had over 2,800 certifications in over 114 countries across the globe.

With the Uptime Institute’s Tier Classification, comes four tiers that are centered on data center infrastructure and define the criteria needed for maintenance, power, cooling, and fault capabilities: Tiers I, II, III, and IV.

Before we dive into the Uptime Institute’s Tier Classification, I want to run through some data center vocabulary:

Uptime

Uptime is the annual amount of time that a data center is guaranteed to be available and running. This time increases in degrees of “nines,” or a 99% availability guarantee. A data center with 99.671% uptime offers far less availability and reliability than one that has 99.982% uptime. 

Essentially, a data center wants to achieve as many “nines” as possible. A 99.9% availability (or “three nines”) will still allow for approximately eight hours of downtime per year. If a data center has 99.999% (“five nines”) then they have less than six minutes of downtime per year, or approximately twenty-six seconds per month.

Downtime

Downtime is the annual amount of time that a data center and its availability will be interrupted. Downtime can occur for a number of reasons: routine maintenance, hardware failures, natural disasters, cyberattacks, and the most common, human error. 

Whenever a data center experiences downtime, there’s a cost: according to the ITIC’s 11th Annual Hourly Cost of Downtime Survey, an hour of downtime can cost some firms and corporations anywhere from $1 to $5 million, not including any potential legal fees, fines, and penalties. The more downtime a data center has, the higher the risk they run of data breaches due to the lack of or little protection and security monitoring they have during this time. It’s also important to mention that downtime not only affects the data center employees: downtime prevents outside customers and clients form accessing services and information, too. So even if a data center experiences downtime that does not result in a data breach, it can have very real monetary and reputational consequences.

Redundancy

Redundancy is a data center component designed to duplicate primary resources and power in the case of failure. These fail-safe systems can be in the form of backup generators, uninterruptible power systems (UPS), and cooling systems, to ensure that data centers can continue to run if another component fails.

Now, let’s dive into each tier!

Tier I

Tier I is a data center at its most basic level of availability. This first tier offers no guarantee of redundancy and at a minimum, offers data centers an UPS for power spikes, lags, and outages. Most small businesses and warehouses that lack around-the-clock operations with minimal power operate at a Tier I level. Tier I facilities operate on a single distribution path for power and cooling, which can easily be overloaded or fall susceptible to planned and unplanned disruptions. In return, Tier I offers 99.671% redundancy, meaning that there is a maximum of 28.8 hours of downtime per year, allowing a lot of vulnerable room for any kind of disruption and subsequent breach. 

Tier II

Tier II facilities offer a bit more uptime, with a 99.741% rating, equaling no more than 22 hours of downtime per year. Like Tier I facilities, Tier II’s operate on a single distribution path for power and cooling but offer other options for maintenance and disruption mitigation. Some of these features include engine generators, cooling units, pumps, and heat rejection equipment. While not by much, this little bump in availability can guarantee data center’s reliability, but it still does not fully protect them from unexpected shutdowns.

Tier III

Unlike Tier I and II facilities, Tier III’s are generally utilized by larger businesses and offer more than one redundant distribution path, meaning that the infrastructure has the capacity and availability to fully support the IT load and offer backup to ensure performance and reliability. This spike in reliability allows for 99.982% of uptime, resulting in less than or equal to 1.6 hours of downtime per year.

While this tier is significantly more reliable, it is not completely fault tolerant. Tier III allows for routine maintenance without impacting service, but are still vulnerable to outages, spikes, and power lags. 

Tier IV

Tier IV is the most sophisticated tier and is typically used by enterprise corporations. This tier offers twice the operational capacity (or 2N) as well as additional backup components (or +1), for ultimate reliability. In this tier, every critical component of the data center’s primary infrastructure is duplicated and fired at max capacity, meaning that even in a disruption, operations are able to continue. 

Tier IV facilities offer a 99.995% uptime per year, or less than or equal to 26.3 minutes of downtime. While this level of classification can be the most expensive to implement, it is the one generally populated by government organizations and larger enterprise corporations.

data-protection-officer

Conclusion

The Uptime Institute’s Tier Classification demonstrates that in any data center setting and scale, it is absolutely vital to have redundancies in place in order to have the lowest amount of down time possible. Data centers should strive to reach the highest tier in order to maintain their high levels of performance, availability, and reliability.

In equal vitality, ultimate data center security also requires a detailed and clear data decommissioning program as part of their operations plan to ensure other safety, security, and operational safeguards are in place. The best way to achieve that level of security is with an in-house destruction plan for HDDs, SSDs, and other data center media types. When implemented improperly, data centers can fall subject to breaches and experience extreme financial loss and irredeemable public trust. At SEM, we offer NIST 800-88 compliant degaussers, crushers, and shredders that are versatile enough to fit in any environment and scale along with auditing and documentation systems. 

Since our inception in 1967, SEM has served as the industry leader in high security, comprehensive end-of-life data destruction solutions that ensure the protection of sensitive, classified, and top secret information within the government, intelligence community, and commercial markets. Our solutions are specifically designed and manufactured to comply with the most frequently cited and stringent of regulatory requirements and compliance mandates, including the National Security Agency’s (NSA) Evaluated Product List (EPL) — which is used to determine if a data destruction device is approved to destroy the US Government’s top secret and classified materials. 

Over the years, many data centers have pivoted to having the most secure data-decommissioning policy, in-house destruction. By using devices like the SEM 0300 shredder line, EMP1000-HS degausser, 2SSD, and iWitness documentation tool – data centers data is more secure than ever when the drives reach end of life.  

The fact of the matter is: the further we get into the Digital Age, the more criticality there is in protecting our most sensitive of data. Corporations, businesses, and enterprises all require a data center that can deliver reliability comparable to their uptime requirements and an in-house data destruction plan.

How NOT to Destroy Employee Personally Identifiable Information

April 25, 2023 at 8:00 am by Amanda Canale

Employee personally identifiable information (PII) is filled with critically private and personal information, such as financial information, healthcare information if provided by the employer, pay stubs, addresses and phone numbers, and more, so it should always be destroyed with the utmost care. 

Before we get to how not to destroy these types of files, it’s important we discuss how long you should keep them for. When it comes to personnel records, retention periods can vary. For instance, the Department of Labor Correspondence and the Internal Revenue Service (IRS) require any financial statements, documents from the IRS and Department of Labor Correspondence themselves, and plan and trust agreements to be kept three to four years, or even longer depending on the case.

However, when it comes to normal employee files, applications, contracts, and other employee personal information, they should be kept for two to three years from the date of termination. What about their compensation documentation? Keep these on file for three to five years from the termination. (This is important to remember!)

Now, let’s get to the fun part – the destruction!

Ripping Up

While ripping paper into confetti-sized pieces can be a great way to relieve some stress, we don’t necessarily recommend this tactic when getting rid of your most recent fire’s employee file. Even if you weren’t too crazy about your coworker, if not destroyed with high security end-of-life destruction equipment, their information could easily fall into the wrong hands, and your coworker could be the next to fall victim to identity theft – which nobody deserves. Don’t believe us? Take for instance the DARPA Shredder Challenge, where people quite literally competed to reassemble 10,000 shred particles for a large grand monetary prize. While the average person would much rather do anything else than spend 600 hours putting shred pieces back together, the same cannot be said for hackers and thieves; if it’s going to grant them access to your most sensitive information, then chances are they will rise to the occasion!

Shredded paper with text.

Recycling and/or Throwing Away

While we support the green initiative in wanting to recycle end-of-life PII documents, unfortunately this isn’t possible. Again, if it’s not a good idea to rip up your employee’s files, it’s not safe to simply throw it out or recycle. Sadly, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not always transported securely, which makes it easy for people to intercept and have access to your most private and identifiable information.

It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying employee files, it is best practice to use a secure, in-house method, like our Model 244/4 high security paper shredder. 

The Model 244/4 is our most popular high security paper shredder. Why? This solution is NSA evaluated and listed by the NSA/CSS EPL and meets DIN 66399 Level P-7 standards. Our 244/4 provides a rugged performance with an NSA one hour durability of 17 reams per hour while encased in a quiet system, making it the perfect choice for small or mid-size department use. 

Want even more security? Our Model 344 offers an even more secure shred size than the current mandate for the National Security Agency (NSA) requires. We like to call the 344’s final particle size as P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) 

By adopting a shredding policy, you are making the most cost-effective, safe, and secure decision to take preventative measures to ensure that your past and current end-of-life employee information does not fall into the wrong hands.

Centralized vs. Decentralized Destruction: What’s the Difference?

April 17, 2023 at 2:36 pm by Amanda Canale

As with most new technology, ideas, and solutions, there are pros and cons. In this month’s blog, we’re breaking down the main similarities and differences between centralized and decentralized destruction environments.

Centralized Environment

A centralized environment is, essentially, one space where all of the magic happens. Whether it is a centralized record center or destruction environment, everything that happens and everything being stored are in one location. 

For example, let’s refer back to our Level 6 Data Centers: Best Practices in Security blog. The sixth level of the Google data center is known as a centralized destruction environment because all the destruction occurs in one, central space. At this level, security is at an all-time high, with very few personnel having access. 

 

 

Another example of a centralized environment, but in this case a record center, is a single space where all records are kept. It could be a doctor’s office where all patient files are kept or a cloud-based system where all files and documentation are stored. Since centralized environments hold a substantial amount of information, they are typically organized by separate teams or personnel with a very high level of clearance.

CENTRALIZED ENVIRONMENT PROS:

One main pro when it comes to a centralized environment, in this case destruction, is that all of your destruction occurs in one place. There isn’t a concern for whether a drive was left on someone’s desk or an end-of-life document was misfiled since there is a system in place that requires all end-of-life drives and documentation to be in one place at the same time. This allows for a highly organized destruction plan and seamless organization system.

With a centralized environment typically comes extra security (remember, all your eggs are in one basket!), which just adds an additional level of protection. This can be in the form of more security cameras, keypads and ID badges, physical security guards, and more. Not only do centralized environments come more protected, they also allow for more opportunities for control.

CENTRALIZED ENVIRONMENT CONS:

By putting one’s eggs all in one basket, while it offers a sense of control and safety, it can also have its drawbacks. Hypothetically speaking, if someone was able to breach that centralized location, they have the world at their fingertips since everything is in one place. Servers can be hacked into, destruction solutions can be tampered with, and precious information can easily be stolen. However, this is also why extra security measures are taken, whether the environment is centralized or not.

Decentralized Environment

On the contrary, a decentralized environment is where all of the records or destruction occurs across multiple rooms, spaces, or even floors. A decentralized environment could be the same doctor’s office mentioned earlier, but where patient personal health information (PHI) is kept spread out among various storage locations, workstations, multiple servers, etc. 

DECENTRALIZED ENVIRONMENT PROS:

Decentralized environments allow for data to be stored in more than one place offering more accessibility, and allowing those who need to access the data to be closer to it. By having their data in multiple and closer locations, there’s no need for long walks across the data center or building, or extra physical layers of security.

Depending on how sensitive the information is, a decentralized record center can sometimes offer more protection since there are multiple points of access and entry, which mean more opportunities for a hacker to fail.

DECENTRALIZED ENVIRONMENT CONS:

With multiple points of entry and access, also come…more money. Decentralized networks, destruction, or record environments require more upkeep, more maintenance, more storage, and more security. 

 

 

The consequences of improper data destruction are endless. By opting for in-house, centralized destruction, companies have complete oversight and can be certain that your information has been securely destroyed.  At SEM, we offer an array of various high-quality NSA listed/CUI and unclassified data destruction solutions, and are experts in designing and creating, implementing, installing, and servicing centralized destruction facilities across the globe. Whether it’s for the federal government, one of their agencies, or a commercial data center, we do it all. Learn more about our scalable and customizable solutions here. 

On a final note, we want to stress that when it comes to centralized destruction, maximizing your facility’s space is of critical importance. When selecting destruction solutions, it is important to ask yourselves a few questions on your facility’s size and space requirements, along with relevant compliance regulations. All are aspects of a physical space that need to be addressed when choosing the right solution. You can find out more on how to maximize every square foot of your centralized destruction facility below.
 

Applying to College: What Happens to Your PII Once You’re Accepted?

April 27, 2021 at 1:50 pm by SEM

College applications. For a lot of people, just reading those two words can bring back a swarm of flashbacks of awkward college essays, endless SAT prep, and countless hours spent anxiously awaiting that giant envelope announcing your acceptance into your dream school. While this time can be exciting for many people, it’s also a time spent filling out application after application detailing all your personally identifiable information (PII). But what happens to those applications, and that information once you’ve been accepted?

Colleges and universities are bound by a federal law called “The Family Educational Rights and Privacy Act” (FERPA), which ensures that the information provided by and in relation to students is kept private. The law also states that if the information provided is no longer needed, that it must be discarded in a manner that securely protects the information.

For context, FERPA is administered by the Family Compliance Office in the US Department of Education and applies to all educational agencies and institutions that receive funding under any program administered by the department. Private schools at the elementary and secondary levels generally do not receive funding and are therefore not subject to FERPA. Private post-secondary institutions, however, generally do receive funding and are therefore subject to follow all FERPA guidelines and regulations.

While FERPA accounts for a variety of issues such as access to education records, amendments to and disclosure of records, it also makes provisions and guidance on the protection of the information. It is within this segment of the law that institutions are obligated to protect the privacy of the data and to effectively destroy or eliminate data that is no longer needed in a controlled and secure manner.

How is this data destroyed?

Personal data resides on many forms of media, including but not limited to paper, hard drives, data tapes, optical disks, and more. Paper documents can easily be destroyed by feeding the end-of-life documents into a paper shredder. Many institutions use in-house cross-cut paper shredders for this purpose while others may deploy an outside service to shred the paper. If an office or institution utilizes an outside service to destroy their paper documents, they are usually stored in a locked cabinet or receptacle that only the outside service has access to. While these documents are securely stored in the meantime, SEM will always recommend in-house data destruction to ensure secure destruction. By opting for a third party vendor to handle your end-of-life destruction, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle, misuse, or even lose drives and/or paper when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. (Some third party vendors have even been known to sell the data they are given to online third parties!)

Unfortunately, many college applications are now submitted virtually through applications like CommonApp and through institutions’ online portals. This means that the destruction of their electronic media is a bit more challenging. Again, there are outside services that perform this function, but they do not come without their own set of consequences. For hard drives, it is best practice to degauss any end-of-life drive prior to destruction. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. This can in turn potentially save an institution more time and money in the long run by preventing a breach of any kind and ensuring their applicants’ PII stays safe.

At SEM, we specialize in providing secure and effective in-house solutions to numerous educational facilities around the country. We have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your institution’s destruction needs.