Home About Douglas Knisely Myths about shredding services and their pricing News for Thought Networking of Security Shredding Professionals Secure Document Destruction Manual for Security Managers Shredding Laws Recycling Free Containers Background Checks Shredding Territory Misleading Claims

 

N.S.S.P.  Setting Security Standards


Network of Security Shredding Professionals


Secure Document Destruction: A manual for Security Managers
The paperless society has not eased our dependency on portable information; reports, files, charts, applications, statements, etc. It is the prevalence and portability of sensitive paper documents that is most dangerous for security managers. The corporate duty toward information security must also be considered in the secure destruction of physical paper documents. Secure document destruction is asset protection.
While there are a few non-security trade sources that claim to be authoritative in information destruction, the role of security professionals in the document destruction field is lacking. Many of these destruction experts have joined the national forums and committees on identity theft. Unfortunately, the document destruction industry practices are being preached to the security field. We believe instead that the security industry standards must be set for the document destruction trade. A compromise that does not favor security standards will likely validate document destruction industry profits at the long-term expense of liability for organizational security.
We want to promote security in document destruction while also educating security managers about the field. The Network of Security Shredding Professionals is an informal network of likeminded security professionals who are also document destruction specialists. The world knows us as shredding companies. Look in the yellow pages and there may be several headings: Paper-Shredded, Paper Shredders, Document Shredders, Information Destruction, Document Destruction, Shredding. The category most people don’t check is Security. Whether your decision is to implement an in-house shredding program or employ a mobile shredding service vendor, we hope this information will give you an insight to secure document destruction. This information is not copyrighted and may be reproduced and distributed. Thanks.
Assignment of document destruction supervision within a facility
The modern image of organizational security unfortunately remains that of the “park here and smoke there” style rent-a-cop with substandard competency for real police work. Professional security is successfully combating the misunderstood stereotypes of incompetence and irresponsibility. Security standards that do not advance professionalism are nothing more than an illusion.
Sturdy, reinforced, lockable security bins and consoles
Asset Protection and Loss Prevention are titles that have replaced the traditional “Security” handle in most organizations. This is wonderful considering the new titles accurately describe the department’s function. Unfortunately, organizational politics, turf battles, confusion, even union labor contracts are reinforcing the separation of security from the protection of information. The primary organizational departments that are involved in document destruction appear to be the facility management, human resources, and accounting departments. While all these departments can logically be linked to their relationship to document destruction these departments are not logically directly responsible for information security.
FACILITY Dept.
- trash collectors also gather confidential documents
- tend to treat all waste paper as garbage
- reliance on bonding in place of sound pre-employment screening
- most personnel are not in a position of trust
- performance appraisals are often based on saving the company money
- sense of ownership for confidential waste motivates establishing an in house paper shredding and disposal process
- may mix confidential documents with trash accidentally or to cut costs
- fail to distinguish confidential documents from recycled waste paper
HR Dept.
- experienced managers put inexperience assistants in charge of shredding project
- over trusting nature allows assistants to be manipulated and easily sold on a service with little info
- records retention can be overwhelming and records purges very complex
- overlook security issues such as type of destruction equipment used or the bona fide credentials of the shredding company personnel
- tend to use off-site shredding vendor but do not follow-up on confirming destruction
ACCOUNTING
- high volume of confidential documents (checks, stationary, reports, tax forms)
- accountants are rules/procedure oriented and concerned about audit trails
- need for proof in destruction motivates use of an on-site mobile shredding vendor
- want fast and inexpensive procedures for destruction
- security may be compromised for cost of service
- wrongly assume that liability can be transferred to the shredding vendor
- may get fixated on the process and the audit trail, overlooking the credentials of the shredding personnel or the disposition of the shredded waste
- over reliance on ambiguous cost of service estimates and contracts
- tend to fall for recycling revenue gimmicks and discounts
Off site facilities must be secure too
Why document destruction should be a security responsibility?
Trust. Confidentiality. Control. Inspection. Verification. Assurance
- Security personnel are in a position of trust within the organization
- The issues of confidentiality and information security should be fundamental to security personnel
- Access control, surveillance, investigation, and patrol duties provide a broad opportunity to control sensitive materials throughout the organization
- Security personnel have the authority to inspect and to oversee the document destruction process within a facility, by a mobile shredding vendor, or at an off-site facility
- The security department should be responsible for investigation of the qualifications of the document destruction vendor to verify that their personnel are trustworthy in duties and that all contractual conditions are upheld
- The document destruction practices of the organization should be reviewed thoroughly at least annually or whenever a question or issue arises to assure that the organization is meeting its obligation to protect information and that the document destruction procedure meets the best interest of the organization
Legal responsibilities and privacy
Security and information protection is a non-delegable duty. An organization has a duty to protect confidential identification information of employees and customers. A breach of security, no matter how slight, could result in the release of information that may result in huge financial penalties. There are few remedies for the organization that fails to exercise due diligence or is negligent in security practices.
When it comes to shredding--- SIZE MATTERS! Many shredders miss paper, leaving large pieces or even full documents unshredded. Once the material is dumped for recycling, each piece constitutes an unauthorized release. Be sure you look in the back of the truck.
5/16” strip shred pierce&tear grinder
strip shred and hammermill
Common mistakes by organizations when working with a shredding vendor
- “Are you bonded?”
- reliance on non-security trade association ratings as credential for security
- reliance on associate membership affiliations with security associations as a pretext for being a security service
- “Are you certified?”
- Allowing the shredding vendor to interpret your regulatory compliance standards
Security begins with access control. Look for the unsecured courier vehicle.
Recommendations for the security manager regarding a shredding vendor
- Obtain proof of liability, workers’ compensation, and vehicle insurance
- require a signed confidentiality waiver
- verify the background of the vendor; Fictitious name, incorporation, credentials of owner, previous claims or lawsuits, UCC filings, references, EIN
- inspect the final result of the shredding process
- inspect the transfer facility where the shredded waste is processed
- verify the final disposition of the recycled shredded waste
- conduct unannounced inspections of mobile or off-site shredding operations
Additional questions
- Who conducts the background checks on employees? Is the owner hiring friends and relatives? Are employees hired without doing a criminal history check and a drug test? Most background checks are limited to computer records only which are both inadequate and non-specific searches.
- What are the qualifications and background of the employees? Criminal history or patterns of irresponsibility and instability should be disqualifying factors. One “credentialing” association claims that employees should not have a felony conviction relating to a theft of fraud charge. Yet this allows the “credentialed” shredding service to employ someone with a misdemeanor theft conviction or someone with a felony assault conviction. If the shredding vendor does not have standards for employment that meet your standards for your security officers, then they must be dismissed from being entrusted with your confidential documents.
- When did the vendor start in the shredding business and how did they become interested in this field? The document shredding field is highly specialized. Hopefully, the vendor should have a genuine and interesting story about how they became drawn to destroy documents. Listen for key security concepts in the vendor’s answer. Don’t be surprised however if the answer you get involves a story about supplementing income through selling recycled waste paper.
- Where is the home office/facility and what physical security is in place? Many mobile shredding services do not operate a secure facility but deposit their shredded waste at a recycling center or municipal waste transfer station. Larger and more security conscious vendors will have their own facility for baling the waste paper. Alarm systems and video cameras are common equipment. You should ask the vendor for permission to tour the facility and you should verify the alarm is through a central monitoring center and that the cameras are connected to a recorder and that the lenses are cleaned of paper dust regularly and properly focused.
- How are visitors screened at the vendor’s facility? This is a problem for the mobile services that dump shredded waste paper at a public recycling center. For proprietary vendors, a guest log sign in procedure should not be the only screening and access control procedure.
- Why does the vendor believe they are the right service for your facility? Ask the vendor this question after they have had a fair chance to evaluate your needs. You should never commit to a shredding service contract without the vendor inspecting your facility , etc
If your facility does not understand and respect the maze of federal and state privacy legislation then you are in danger. The first aggressive prosecution of a fraudulent violation of the HIPPA Act resulted from a dishonest employee, not from a procedural vulnerability. Consider that so many shredding companies were started by garbage and recycling companies or by entrepreneurs looking to cash in on a waste paper resource, Security Managers must put as much attention into the entire chain of WHO is handling the paper and the shredded waste. Security Managers must not be duped by meaningless certifications and ratings, or by believing the largest company is always the best choice. Many of the largest companies are the same ones facing publicity for reckless release of information. This guide should help the Security Manager establish professional standards for selecting the right shredding service.

 

KNISELY MOBILE SHREDDING - Bellefonte/Woolrich, PA

Phone (800) 810-0474  Fax (570)769-7429

email:  dkknisely@aol.com   Copyright 2006 All rights reserved