Educause Security Discussion mailing list archives
Re: Media Shredders
From: "Perry, Jeff" <perry () KU EDU>
Date: Thu, 11 Sep 2008 09:43:27 -0500
We have actually used both Shred-it and Iron Mountain over the years. We are looking at providing a local drop-off service in addition to "for a fee" vendor pickup options. We have found that if we bill or charge units for this service directly they are more likely to just shove the media in a cabinet or closet for another 5 years (or worse, put it in the trash). We have also found that various contract vendors takes some media types and not others, which really complicates the decisions our typical campus office staff have to make (What is this "thingy" and which vendor takes it?). Our goal is to lower the bar for our users on campus to allow them to drop off "Media" at a few central locations where it will be securely stored. What we can destroy, wipe, degauss, shred onsite we will, what can't be effectively (or economically) done onsite will be bundled and tagged for p/u by one of our certified disposal companies. In this case we are primarily talking about non-paper media (flash drives, tapes, HDs, CD's, floppies etc) as we already have a fairly large secure paper shredding service provided by a NAID certified company. Your points below are very good. For highly sensitive items we either outsource it for liability protection, or perform the work in-house using a standard chain of custody model witnessed by a member of our IT Security Staff and the owner/steward of the media.
The firms that provide paper shredding services, where they bring in
locked bins of various types, often will take CD/DVD/VHS, and floppies. That way users don't need a separate process for paper and those types of media Unfortunately we changed contract vendors and our new vendor no longer allows mixed waste streams. They will of course take it for a fee as a special pickup but the costs are high and for a campus our size it's a complicated process that relies on all staff to make the right call, store it the right way, and be able to afford the service (as a direct invoice cost). Again our goal is to take up %95 of digital/analog media and make it "as easy as returning a movie" for the end user. Other suggestions, thoughts, or advice is always welcome. Thanks, Jeff ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan Sent: Thursday, September 11, 2008 8:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Media Shredders You may want to consider a 3rd party destruction service for CD/DVD/Floppies - it may even be easier/less expensive, especially if you have large volume In my work re: protecting personally identifiable information (e.g. SSN, and other data breach type info), I've learned that media destruction isn't quite as straightforward as I thought. There is, for example, a National Association for Information Destruction, complete with a certification process. Certainly a lot depends on how thoroughly you are required to destroy information. In one of their papers, they identify the following concerns with in house destruction -- typically do not qualify as certified destruction programs, including absence of witnessed destruction -- typically use lowly compensated folks, who haven't had background checks, and who may find value in taking items instead of destroying them -- waste product less likely to be recycled -- cost, noise, potential mess -- less likely to be scheduled, which could run afoul of e-discovery The firms that provide paper shredding services, where they bring in locked bins of various types, often will take CD/DVD/VHS, and floppies. That way users don't need a separate process for paper and those types of media Cintas is one of the few nationally NAID certified organizations - see http://www.cintas.com/DocumentManagement/DocumentShredding.aspx (you can click on the 3 little picture icons to see the 2 types of bins) They provide the bins free of charge; the charge comes when they take it away - which could be weekly, monthly, quarterly - whatever works.) Their website explicitly says they take CDs in with the paper. Rent-a-Crate has also moved into this area, with special higher ed pricing (I don't know if you have to be part of the consortium) - $15 to take away a bin. http://www.rentacrate.com/shredx.php Their website doesn't explicitly say they take mixed media - that may depend on the destruction equipment in your area. They also have an 'e-scrape' service for drives and other HW. Allison F. Dolan Program Director, Protecting Personally Identifiable Information NE49-3021 (mail stop) NE49-3037p (office) (617) 252-1461 http://mit.edu/infoprotect On Sep 10, 2008, at 6:01 PM, Perry, Jeff wrote: Greetings, We are looking at buying a moderate size commercial shredder to shred floppies and CD/DVD's to handle media that we either can't or are too tedious for our commercial degaussers. I am looking for something with a reasonable duty cycle and warranty that is designed to handle quite a bit of media. I can find lots of specific info on degaussers but I'm not having much luck finding shredders that specifically are rated for floppy and polycarbonate media and can handle a few hundred pieces a day. Most product documentations says "will handle paper, credit cards, CD's, and staples". But I'm sure there is a big difference between those that will take the occasional CD and those that will take floppies and CD's all day. Any recommendations would be appreciated. For those interested in degaussers: We have an HD-3 from Gartner products that is really nice. We are now looking at buying a larger HD-8800 to expand our "you bring it we'll nuke it" data destruction service. We've seen a surprising amount of mag media that won't fit in a standard hard drive degaussers. Who knew so many old large format video tapes and full size reels were still lurking in closets! Thanks, JP -------------------------------------------- Jeff Perry, CISSP Manager, Security Services and Operations Information Security Office - A Division of Information Services The University of Kansas Office +1 785-864-9003 Direct +1 785-864-0489 Fax +1 785-864-0485 Email perry () ku edu -------------------------------------------- http://www.security.ku.edu The information transmitted by the above email is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at (785) 864-9003, and delete the communication from any computer or network system.
Current thread:
- Media Shredders Perry, Jeff (Sep 10)
- <Possible follow-ups>
- Re: Media Shredders Joel Rosenblatt (Sep 10)
- Re: Media Shredders Allison Dolan (Sep 11)
- Re: Media Shredders Perry, Jeff (Sep 11)
- Re: Media Shredders Joey Mavity (Sep 11)