A Country in Crisis: Data Privacy in the US

March 4, 2020 at 4:17 pm by Heidi White

In 2019, the United States held the world record of having the highest average cost per data breach at $8.19 million (IBM Security and Ponemon Institute, 2019), and healthcare data breaches affected 80% more people than just two years prior in 2017. (Statista, 2020). In today’s data-driven environment, it seems not a day goes by without hearing of a data breach or leak. Data privacy in the US is a growing problem caused primarily by the exponential increase of digital data, the trend of moving data storage to the cloud, and lack of a federal data privacy regulation.

Over the past several years, digital data has been increasing at an unprecedented rate. To put it into perspective, in 2019 the overall global population increased at just over 1% to 7.7 billion, while the number of unique mobile phone users increased by 2% to 5.8 billion. In addition, the number of internet users increased 9% to 4.4 billion, which is 57% of the global population. (Hootsuite & We Are Social 2019). As global urbanization continues, the sheer number of people utilizing data in their day-to-day lives will continue to grow. Combining personal use with the fact that nearly all businesses have a website and run their organizations using computers, it becomes clear that the use of data will only continue to increase in the coming years. All of this data, which moves across continents in seconds, needs to be stored and managed somewhere. This exponential increase in the use of digital data has required an equally aggressive increase in data storage capabilities.

data centerAs digital data increases, so does the trend of moving data storage to the cloud. Often misunderstood, the cloud is not some mystical Cumulus floating in the sky with ones and zeros suspended in it. Rather, the cloud is nothing more than large data centers that house racks and racks of servers and drives that run 24/7. These constantly moving parts create an immense amount of heat, so data centers utilize massive cooling mechanisms to keep temperature down. Understandably, data centers therefore use an excessive amount of energy, making operation fairly expensive. While larger businesses previously owned their own data centers or used in-house data storage, there has been a rapid shift to cloud service providers over the past five years. From 2017 to 2019, the number of cloud service data centers rose from 7,500 to 9,100, with 2020 expecting to see that number top 10,000. On the flip side, there were 35,900 data centers owned by non-technology firms in 2018, and that number is expected to significantly decline to 28,500 by the end of 2020. In fact, it is expected that the number of large companies in North America shifting away from using their own data centers to cloud service providers will increase from 10% in 2017 to 80% by 2022. (Loten, A. 2019). The move to cloud service providers is further evidenced by the increasing number of mergers and acquisitions in the cloud service sector. But how does this affect data privacy? It puts the onus of maintaining data privacy into the hands of technology giants rather than individual organizations who know that a breach could literally destroy their businesses. As data increases exponentially and its storage shifts inexorably to the cloud, concerns over data security and privacy escalate in parallel, leading to much-needed data privacy legislation.

data breach costsIn 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) in an effort to protect the privacy of European consumers. And while Canada had implemented the similar Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, GDPR proved to be far more aggressive legislation both in terms of reach and monetary penalty. GDPR requires that all organizations that do business with EU citizens adhere to the legislation, meaning that global organizations such as Apple, Facebook, and Google, as well as smaller US companies that sell to Europeans, are required to follow GDPR. Since its inception in May of 2018, GDPR has leveraged hundreds of millions of Euros in fines and is only getting more aggressive with enforcement; however, GDPR only affects organizations that have dealings with EU citizens. Conversely, the United States has fallen behind in data privacy legislation, leaving the onus of maintaining data privacy to individual states. As of February 2020, only California, Nevada, and Maine have implemented data privacy legislation, with only the California Consumer Privacy Act (CCPA) requiring deletion of personal data if requested, similar to GDPR. (Noordyke, M. 2020). Considering that well over half of all global data breaches occur in the United States and, as previously discussed, those breaches are increasing due to the exponential increase in global data, the lack of a federal data privacy law is concerning. Unlike their European counterparts, Americans are largely left to their own devices when it comes to data privacy and have little recourse when a breach occurs. In fact, one of the largest breaches of 2012 occurred with major online retailer Zappos, affecting 24 million customers. In 2019, the agreed upon settlement to a class action lawsuit provided reparation to the affected individuals in the form of a 10% Zappos discount code that was only good through 31 December 2019. Needless to say, a 10% discount code (which actually helps Zappos rather than punishes them) in exchange for breached personal data hardly seems equitable. (Doe, D. 2019). Until the United States takes federal data privacy as seriously as their European and Canadian counterparts, the privacy and security of American citizens will continue to erode.

Data privacy and security is a serious and growing global issue, even more so in the United States where the bulk of data breaches occur. As more and more people embrace technology, the need for data storage increases, increasing the need for larger and faster data centers. Additionally, the dramatic shift from on-premise to cloud storage only exacerbates the problem of data privacy by relying on technology giants to protect organizations’ consumer data. Breaches will only escalate in line with our digital footprint, of that there is no question. Without a federal data privacy law, the privacy of American citizens’ data will continue to be at serious risk. And 10% off a pair of shoes simply isn’t the answer.

 

Heidi White is Director of Marketing at SEM and is a self-proclaimed data security fanatic. Contact Heidi at h.white@semshred.com.

 

References

IBM Security and Ponemon Institute (2019). Cost of a Data Breach Report. Retrieved from  https://www.ibm.com/security/data-breach

Statista (2020). Number of U.S. residents affected by health data breaches from 2014 to 2019.  Retrieved from https://www.statista.com/statistics/798564/number-of-us-residents-affected-by-data-breaches/

Hootsuite & We Are Social (2019), Digital 2019 Global Digital Overview. Retrieved from https://datareportal.com/reports/digital-2019-global-digital-overview

Loten, A. (2019, August 19). Data-Center Market Is Booming Amid Shift to Cloud. Wall Street Journal. Retrieved from https://www.wsj.com/articles/data-center-market-is-booming-amid-shift-to-cloud-11566252481

Noordyke, M. (2020). US State Comprehensive Privacy Law Comparison. Retrieved from https://iapp.org/resources/article/state-comparison-table/

Doe, D. (2019, October 18). Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m. Retrieved from https://www.databreaches.net/zappos-data-breach-settlement-users-get-10-store-discount-lawyers-get-1-6m/

Best Practices in Drafting a Data Decommissioning Policy

February 21, 2020 at 4:39 pm by Heidi White

The amount of data that a company, agency, or individual possesses will continue to exponentially grow as time marches forward. When drives reach their end-of-life through failure, technological obsolescence, or routine upgrade, organizations are faced with several choices on how to dispose of that data securely.

Fill out the form below for an instant download.

In-Depth Guide to Federal Data Destruction Regulatory Requirements

at 4:36 pm by Heidi White

Data security encompasses all aspects of information protection and has been an integral part of federal policy since the Social Security Act of 1934 made it illegal to disclose an individual’s social security number and personally identifiable information (PII). Since then, numerous federal programs and processes specific to the privacy and security of personal, financial, health, and intelligence information have been instituted.

Fill out the form below for an instant download.

Security Engineered Machinery Announces Two Key Hires

January 8, 2020 at 7:33 pm by Heidi White
david_wesolowski_david_ditullio
David DiTullio, VP of Finance, and David Wesolowski, Director of Operations

Security Engineered Machinery is pleased to announce that David DiTullio and David Wesolowski have joined the team as Vice President of Finance and Director of Operations, respectively. The announcement was made by Andrew Kelleher, President and CEO of SEM.

David DiTullio joins SEM with over two decades of manufacturing finance experience, most recently as Director of Financial Planning and Analysis at Oxford Instruments. He has held similar roles at NEC Energy Solutions, UTC Fire and Security, and Nypro, Inc. In his role as VP of Finance at SEM, Mr. DiTullio will be responsible for all financial aspects of the company including financial management, cost accounting, information technology, and cash management. Mr. DiTullio received both a BS in Economics-Finance and an MBA in Corporate Finance from Bentley College.

David Wesolowski has 20 years of experience as an operations leader focused on increasing efficiency and productivity while improving company culture. Prior to joining SEM, Mr. Wesolowski worked for Thermo Fisher Scientific, most recently as Director of Operations and Site Leader. With proven experience in business acumen, improving the customer experience, employee engagement and development, and project management, Mr. Wesolowski will be primarily responsible for engineering, procurement, service, manufacturing, and warehouse operations. Mr. Wesolowski received a BS in Business Administration from Roger Williams University and an MBA from Bryant University.

“David DiTullio brings 23 years of finance experience to the team with targeted expertise in leadership, analysis and forecasting, cost accounting, and financial reporting in the manufacturing sector,” said Mr. Kelleher. “Just as impressive, David Wesolowski has over 20 years of multi-faceted operations experience with targeted expertise in operational efficiency, lean manufacturing, client relations, teambuilding, and metric management and reporting. Both Davids’ impressive experience is complimented by their exemplary personal attributes including integrity, dedication, and positivity, making them a perfect fit for SEM.”

Mr. DiTullio and Mr. Wesolowski will be working out of the company’s corporate headquarters in Westborough, MA.

Gingerbread Smackdown!

December 23, 2019 at 8:26 pm by Heidi White

Here at SEM, we not only enjoy providing superior service and products to our clients, but also love having fun. This holiday season, we decided to have a gingerbread house competition and to allow our social media friends to vote on the winner. All seemed to be moving smoothly and easily at first: we asked for signups, made our teams, and scheduled the event for 20 December. Employees signed up to bring snacks and cider, the Culture Committee purchased gingerbread house kits for participants, and gingerbread builders were asked to bring in decorations for their houses.

That’s when things got a little heated.

Next thing we knew, employees were rushing into work with bags of candy  clandestinely tucked beneath their winter coats, water cooler conversations abruptly ended if a rival team member approached, and whispers about stained glass made out of Jolly Ranchers (!) could be heard.


On the day of the event, spirits were high and everyone was excited to get to work. Team #1 made a classic gingerbread house with marshmallow snow, a candy cane sign, and even a brick walkway. Rival team members cried foul when they saw the brick walkway, crying out, “Paper isn’t edible! Disqualified!” However, after an intensive internal review, the Culture Committee clarified the rules stating that there were no rules, and the competition continued.

Team #2 decided to create a non-traditional gingerbread house, and we will just leave that one right there.
Team #3 went all out with a complete gingerbread train, gingerbread tree, and gingerbread man. They made train tracks out of black licorice and brought glittery snow to put under it all. Rival teams (of course) called foul on the gingerbread train since it wasn’t “regulation” size, but the Culture Committee reiterated the rules – there are no rules – and the competition continued.


Throughout all of the bantering about regulation gingerbread trees and unfair paper walkways, and while Team #2 made their… well, let’s call it a modern art creation, Team #4 quietly and diligently worked to create their masterpiece, a traditional candy house complete with stained glass windows (yes, they went there), custom frosted trees, a pretzel fence, and Santa on the roof.


At the completion of the competition, we turned to social media for votes, and did our clients, friends, and family ever show up! After a weekend of voting, Team #4 was crowned the winner of the gingerbread house competition. And while the prize is lunch out for the winning team, the real prize is bragging rights.

And there has been plenty of bragging, to which the rest of say, “Until next year…”

Happy Holidays!

Security Engineered Machinery Introduces Dual Shredder for Classified and CUI Paper and Optical Media Destruction

August 12, 2019 at 10:15 am by Heidi White

OfficeShredHS satisfies industry need for an all-in-one NSA listed paper and optical media shredder that meets the NSA’s new DVD and Blu-ray Disc destruction requirement

officeshredhsSecurity Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to introduce the OfficeShredHS dual paper and optical media shredder. This sleek, user-friendly device is specifically designed for the destruction of classified and controlled unclassified information (CUI) on paper, CDs, DVDs, or Blu-ray Discs (BDs) in office environments.

“Since the NSA released the new DVD and BD specification in late 2018, the market has lacked an NSA listed combination machine that destroys both paper and optical media in office environments,” said Bryan Cunic, SEM Director of Customer Care. “Being an industry innovator for over 50 years, it is no surprise that SEM engineered the OfficeShredHS to fill that gap.”

Sporting an attractive cabinet that houses SEM’s NSA listed 1324C/3 paper shredder and SEM’s NSA listed 0200-OMD/SSD optical media shredder, the OfficeShredHS quickly and efficiently destroys paper to a 1mmx5mm particle and optical media to a 2mm particle, both NSA requirements for classified data destruction. In addition, the OfficeShredHS meets the Information Security Oversight Office (ISOO) 32 CFR Part 2002 “Controlled Unclassified Information” directive requiring that all Executive Branch agencies destroy CUI paper to a 1mmx5mm particle.

SEM’s 1324C/3 NSA listed paper shredder accepts up to four sheets of paper per pass, with a 1-hour durability rating of five reams. Constructed with rugged steel cutting heads, safety and convenience features, and whisper quiet functionality, the 1324C/3 is a time-tested, low volume, high security paper shredder. SEM’s 0200-OMD/SSD NSA listed optical media shredder provides efficient destruction of low volumes of classified CDs, DVDs, BDs, and solid state devices such as EMV credit cards, magnetic stripe cards, Common Access Cards (CAC) IDs, and SIM cards. These two devices come together in the OfficeShredHS to provide the first NSA listed combination destruction device to meet the NSA’s new DVD/BD requirement. It also uses standard 120V electrical outlets and is TAA compliant.

“SEM’s OfficeShredHS fills the very real need for an NSA listed combination office shredder that destroys classified and CUI paper and optical media,” added Heidi White, SEM Director of Marketing. “This revolutionary device is attractive, compact, clean, portable, and quiet, making it the ideal solution for safeguarding sensitive information in government office environments.”

The OfficeShredHS has a list price of $7,499. For more information, visit www.semshred.com/product/OfficeShredHS.

Security Engineered Machinery Introduces Manual Crusher for Both HDDs and SSDs

July 30, 2019 at 12:22 pm by Heidi White

Model 0100 SSD/HDD quickly and easily destroys both rotational hard drives and solid state boards without electricity

SSD-crusher

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the Model 0100 SSD/HDD manual solid state and rotational hard drive crusher. This new product provides an affordable, efficient solution for organizations with low volumes of hard disk drives (HDDs) and solid state drives (SSDs) requiring physical destruction.

“The 0100 SSD/HDD was designed to be a portable, cost-effective, and eco-friendly option for the efficient destruction of IT media,” said Andrew Kelleher, SEM President and CEO. “This unique device has a low profile, is quiet and clean, and operates by using a simple lever, making it a convenient, safe solution for smaller office environments.”

SEM’s Model 0100 SSD/HDD manual crusher easily destroys both rotational hard drives and solid state boards. The unit includes an SSD kit consisting of a wear plate and press plate for holding solid state boards during the crushing cycle. Manual operation makes crushing drives efficient and versatile, providing ultimate portability and ease of operation. SEM’s Model 0100 SSD/HDD exerts up to three tons of crushing force, and destruction time is five seconds or less. The heavy-duty steel anvil punctures and destroys the drive chassis and platters of HDDs as well as chips found on solid state boards. Quality, solid steel parts ensure smooth and consistent operation.

The 0100 SSD/HDD has a list price of $1,299 and is TAA compliant. An optional stand is available. For more information, click here.

Security Engineered Machinery Introduces Shredder Specifically for Credit/ID Cards and Dog Tags

July 15, 2019 at 6:14 pm by Heidi White

IDShred65 addresses growing need for efficient and effective destruction of cards and dog tags that contain personally identifiable information (PII)

dog-tag-shredder

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the IDShred65 ID and dog tag shredder. This device is specifically designed for the destruction of plastic and metal credit cards, dog tags, and ID cards such as CAC IDs and driver’s licenses.

“The IDShred65 was created to address a growing need to destroy cards and dog tags in both the commercial and federal markets,” said Nicholas Cakounes, SEM Executive Vice President. “Unlike competitor models, SEM’s IDShred65 easily destroys the heavier, thicker credit cards of today including metal cards.”

The all new IDShred65 is enclosed in a compact metal cabinet mounted on casters for portability and ease of use in office environments. It also boasts a rugged, all steel cutting head that is specifically designed for the efficient destruction of thick metal cards and tags. Designed with operator ease of use in mind, the IDShred65 has a customized feed slot for cards and tags, a modern, sleek design, and plugs into a standard 120V outlet. It also comes standard with integrated safety and convenience features including an LED control panel with auto start/stop and reverse and bag full and door open indicators. In addition, the IDShred65 is an eco-friendly product, featuring an Energy Savings Mode that shuts off power when not in use and operating without the use of oil.

“We are thrilled to offer the IDShred65 to satisfy the rapidly growing need for on prem destruction of dog tags and cards, both metal and plastic,” added Bryan Cunic, SEM Director of Customer Care. “SEM has long been an innovator of high security information destruction technology and the new IDShred65 continues that tradition of excellence.”

The IDShred65 has a list price of $5,999 and is TAA compliant. For more information, click here.

Why Data Centers Need to Know About GLBA Compliance

May 14, 2019 at 1:10 pm by Heidi White

Data privacy and data protection rules are hot topics, having prompted us to consider exactly how we share, store, and dispose of our personal information from the individual level to the corporate level. Indeed, most (if not all) businesses must now adhere to some sort of data protection and privacy policy as set forth by industry standards. But what happens if your business interacts with other businesses that have their own policies and regulations to follow? Do you have to adopt those rulings for your business in order to continue working together? In most cases, the answer is yes.

Take data centers. If you operate such a business, you likely have stringent rules in place for securing the data you house on behalf of your clients. But, do you also follow the data regulations and privacy policies set forth by your clients? If your answer is no and your clientele is covered under the GLBA, you’ll need to revisit your information security plan immediately to incorporate GLBA compliance.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. The reason is that these organizations are significantly involved in providing financial products and services and therefore have access to personally identifiable information (PII) and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

shred-laptop

GLBA Compliance: Applicable to More than Just GLBA-Covered Businesses

In accordance with GLBA, organizations covered under this Rule must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

At this point, you may be asking yourself, “How does this affect my business as a data center?”

The data safeguard rules also apply to any third-party affiliates and service providers employed by the companies covered under GLBA. As such, it is the responsibility of the GLBA-covered company to ensure the same steps are taken by the affiliate third-party to protect the data they interact with or store on behalf of the company. This means companies under GLBA are going to select third-party service providers like yours based on those companies that are also set up operationally with the same steps and policies in place to safeguard sensitive data. Furthermore, organizations under GLBA have the authority to manage the way in which their service provider handles their customer information to ensure compliance with GLBA.

Cloud-based data centers therefore must comply with GLBA rules for security policies and enforcement or risk losing business from those organizations and other potential clients that are covered under GLBA. As the data center operator, you could go about this in one of three ways: 1) Create separate GLBA-compliant policies for each client organization based on their needs, 2) Allow each client organization to delineate the GLBA-compliant policies they’d like your business to follow and adopt those accordingly, or 3) Establish one set of GLBA-compliant policies that cover all aspects of data protection and privacy that can work for all client organizations and potential new business.

shred-ssd
An SSD before and after going through a SEM Model 2SSD solid state disintegrator

GLBA and Data Destruction

Just as there are plans and personnel in place to oversee the safeguarding of data while it’s in use, under the GLBA there must be a plan and personnel in place to oversee data destruction when the data has reached its end-of-life. These policies and plans for the proper disposal of secured data should be incorporated into the organization’s information security plan and should be regularly evaluated for risk as well. While this is a straightforward task for the GLBA-covered company, developing and enforcing GLBA-compliant data destruction policies for a third-party affiliate or service provider like a data center is a different story entirely.

Not only do you need to create a set of protocols around data and drive destruction for your data center, you need to be able to prove to your client organization that you can properly dispose of the drives the data is housed on as well as the data itself. This is because both data and drive disposal must be achieved so that neither the data nor the drive can be recovered or otherwise reconstructed after destruction. Since your data center already provides remote access to the information you store, it’s recommended that you purchase and maintain data destruction machinery at your center. This way, you also control where that sensitive information is handled during the data destruction event.

One of the simplest ways to ensure compliance during data destruction events is to work with the GLBA-covered organization to assign certain personnel to that task within your data center. For instance, assigned personnel within your company as well as the client company’s GLBA task force would be required to be on-site during data destruction events. Both parties would be responsible for enforcing data destruction at the data center, including the documentation of every data destruction event, to ensure compliance and alleviate liability in the event of a breach.

Security Engineered Machinery is the global leader in high security information end-of-life solutions including paper and IT shredders, crushers, disintegrators, and degaussers.

FISMA Requirements: Are You Compliant?

May 2, 2019 at 6:55 pm by Heidi White

All US-based organizations and agencies, whether public or private, must comply with certain information security measures when it comes to data storage and disposal. For government agencies and affiliated organizations, information security is paramount because of the sensitive nature of the information housed within these parties. To ensure the protection of proprietary United States data, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002.

FISMACalled the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

FISMA: Who It Affects and Why It’s Important

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

FISMA-cybersecurityFISMA, FISMAFailure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for your organization and a cut to your IT budget, as well as significant administrative ramifications to your organization. However, failure to comply with FISMA, especially when it comes breach-avoidance and proper data destruction, can have much grander and more catastrophic implications for you and your organization. Should any of your private, secured federal data be compromised and your organization was found to be noncompliant, there are serious civil and criminal federal consequences.

How to Comply with FISMA

C-suite executives like chief information officers, information security officers, senior agency officials, and agency program officials are all responsible and held accountable for ensuring compliance of FISMA within their respective organization.

cybersecurity-governmentAs stated in FISMA, these federal or otherwise federally-affiliated organizations must develop, implement, and accurately manage an information security program to safeguard the IT systems and any ensuing data that is collected stored, and transferred. This includes documentation of both the security systems and access granted to stored federal information.

The National Institute of Standards and Technology (NIST) outlines steps that these individuals should take to comply with FISMA:

  1. Track and categorize all information and media devices that must be protected.
  2. Set baseline security controls. Implement and document their use in the appropriate security system.
  3. Regularly refine these controls using a defined risk-assessment procedure as part of an annual review process.
  4. Authorize the IT system for processing within the selected group of authorized personnel and monitor the systems on a regular basis.

Complying with FISMA also extends into data destruction and device disposal practices. Full data destruction requirements can be found under the Federal Information Processing Standards (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems. According to FIPS, organizations under FISMA must: i) set and enforce policies for protecting all data and information systems, whether on paper or in digital format, ii) appoint authorized personnel for sole access of the IT systems and federal information and iii) ensure complete and total destruction of both the data and the media in which it is stored upon reaching end-of-life.

When it comes to the disposal of this federally-protected private data, FIPS also states that the organization must develop and enforce a set of policies for how the data and media should be destroyed, and accurately document every data disposal event, most easily accomplished by using an audit-friendly media tracking system such as SEM’s iWitness. It’s recommended to purchase on-site data destruction machinery and limit access to the data and the data destruction machinery to a small group of authorized personnel.

media-tracking
SEM’s iWitness media tracking system provides audit-friendly compliance with FISMA’s documentation requirements

Furthermore, when it comes to the data end-of-life cycle, the device in which the data is housed must also be destroyed via degaussing, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. And, you want to choose a vendor like SEM that has NIST- and NSA-approved data destruction machinery.