Re: Media Shredders

["Perry, Jeff" <perry () KU EDU>]

We have actually used both Shred-it and Iron Mountain over the years.
We are looking at providing a local drop-off service in addition to "for
a fee" vendor pickup options.  We have found that if we bill or charge
units for this service directly they are more likely to just shove the
media in a cabinet or closet for another 5 years (or worse, put it in
the trash).   We have also found that various contract vendors takes
some media types and not others, which really complicates the decisions
our typical campus office staff have to make (What is this "thingy" and
which vendor takes it?).  Our goal is to lower the bar for our users on
campus to allow them to drop off "Media" at a few central locations
where it will be securely stored.  What we can destroy, wipe, degauss,
shred onsite we will, what can't be effectively (or economically) done
onsite will be bundled and tagged for p/u by one of our certified
disposal companies.   In this case we are primarily talking about
non-paper media (flash drives, tapes, HDs, CD's, floppies etc) as we
already have a fairly large secure paper shredding service provided by a
NAID certified company.
 
Your points below are very good.  For highly sensitive items we either
outsource it for liability protection, or perform the work in-house
using a standard chain of custody model witnessed by a member of our IT
Security Staff and the owner/steward of the media.
 
> The firms that provide paper shredding services, where they bring in
locked bins of various types, often will take CD/DVD/VHS, and floppies.
That way users don't need a separate process for paper and those types
of media
Unfortunately we changed contract vendors and our new vendor no longer
allows mixed waste streams.  They will of course take it for a fee as a
special pickup but the costs are high and for a campus our size it's a
complicated process that relies on all staff to make the right call,
store it the right way, and be able to afford the service (as a direct
invoice cost).  Again our goal is to take up %95 of digital/analog media
and make it "as easy as returning a movie" for the end user.
 
Other suggestions, thoughts, or advice is always welcome.
 
Thanks,
Jeff 
________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
Sent: Thursday, September 11, 2008 8:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Media Shredders


You may want to consider a 3rd party destruction service for
CD/DVD/Floppies - it may even be easier/less expensive, especially if
you have large volume

In my work re: protecting personally identifiable information (e.g. SSN,
and other data breach type info), I've learned that media destruction
isn't quite as straightforward as I thought.  There is, for example, a
National Association for Information Destruction, complete with a
certification process.

Certainly a lot depends on  how thoroughly you are required to destroy
information.  In one of their papers, they identify the following
concerns with in house destruction
-- typically do not qualify as certified destruction programs, including
absence of witnessed destruction
-- typically use  lowly compensated folks, who haven't had background
checks, and who may find value in taking items instead of destroying
them
-- waste product less likely to be recycled 
-- cost, noise, potential mess 
-- less likely to be scheduled, which could run afoul of e-discovery


The firms that provide paper shredding services, where they bring in
locked bins of various types, often will take CD/DVD/VHS, and floppies.
That way users don't need a separate process for paper and those types
of media

Cintas is one of the few nationally NAID certified organizations - see
http://www.cintas.com/DocumentManagement/DocumentShredding.aspx  (you
can click on the 3 little picture icons to see the 2 types of bins)
They provide the bins free of charge; the charge comes when they take it
away - which could be weekly, monthly, quarterly - whatever works.)
Their website explicitly says they take CDs in with the paper.

Rent-a-Crate has also moved into this area, with special higher ed
pricing (I don't know if you have to be part of the consortium) - $15 to
take away a bin.  http://www.rentacrate.com/shredx.php  Their website
doesn't explicitly say they take mixed media - that may depend on the
destruction equipment in your area.  They also have an 'e-scrape'
service for drives and other HW.



Allison F. Dolan
Program Director, Protecting Personally Identifiable Information
NE49-3021 (mail stop)  NE49-3037p (office)
(617) 252-1461
http://mit.edu/infoprotect




On Sep 10, 2008, at 6:01 PM, Perry, Jeff wrote:


        Greetings,

        We are looking at buying a moderate size commercial shredder to
shred
        floppies and CD/DVD's to handle media that we either can't or
are too
        tedious for our commercial degaussers.  I am looking for
something with
        a reasonable duty cycle and warranty that is designed to handle
quite a
        bit of media.  I can find lots of specific info on degaussers
but I'm
        not having much luck finding shredders that specifically are
rated for
        floppy and polycarbonate media and can handle a few hundred
pieces a
        day.  Most product documentations says "will handle paper,
credit cards,
        CD's, and staples".  But I'm sure there is a big difference
between
        those that will take the occasional CD and those that will take
floppies
        and CD's all day.

        Any recommendations would be appreciated.

        For those interested in degaussers:  We have an HD-3 from
Gartner
        products that is really nice.  We are now looking at buying a
larger
        HD-8800 to expand our "you bring it we'll nuke it" data
destruction
        service.  We've seen a surprising amount of mag media that won't
fit in
        a standard hard drive degaussers.  Who knew so many old large
format
        video tapes and full size reels were still lurking in closets!

        Thanks,
        JP

        --------------------------------------------
        Jeff Perry, CISSP
        Manager, Security Services and Operations
        Information Security Office - A Division of Information Services
        The University of Kansas
        Office +1 785-864-9003
        Direct +1 785-864-0489
        Fax    +1 785-864-0485
        Email perry () ku edu
        --------------------------------------------
        http://www.security.ku.edu

        The information transmitted by the above email is intended only
for the
        addressee and may contain confidential and/or privileged
material. Any
        interception, review, retransmission, dissemination, or other
use of, or
        taking of any action upon this information by persons or
entities other
        than the intended recipient is prohibited by law and may subject
them to
        criminal or civil liability. If you received this communication
in
        error, please contact us immediately at (785) 864-9003, and
delete the
        communication from any computer or network system.