DATA RISK MANAGEMENT

SECURITY PRECAUTIONS FOR THE DISPOSAL OF CONFIDENTIAL DATA

Industrial and commercial espionage, to which companies may be exposed, is in itself a major problem, and yet, many people over look the disposal of their confidential data. The protection of information and the taking of necessary steps to achieve a level of security can sometimes fall low in priority, much to the embarrassment of some of our major companies. Physical protection and access controls can be readily monitored, but it is extremely difficult to maintain constant vigilance. Most staff do not realise that data thrown in the waste paper basket can reveal their strategy which can be of extreme value to their competitors. Company documents, legal and business papers, microfilms and tapes are forms of data which are often ignored and disposed of in a rubbish sack for their competitors to read at their leisure. Technology has also produced magnetic tapes, microfiche and disks which are incapable of being destroyed by standard procedures. Companies process and store a great deal of sensitive information and to identify such information can be a problem for a number of reasons. Most people will accept that documents marked "Secret" and "Confidential" are sensitive and these will be handled accordingly, but have the proofs and the drafts of these documents been dealt with in the same way? One alternative, of course, is to store such information, but with the high costs of storage space is this really a viable option? The Data Protection Act and the Financial Services Act lay down standards on employers and safeguards that they must take to protect the data produced by them and there are options to consider. Many companies believe that they can recoup some financial reward by selling their confidential data to a waste paper merchant. Many of the waste paper merchants have the highest business ethics, but it must always be borne in mind that when one sells the paper to a merchant one also sells him that information that is written or printed thereon. For instance, if a company sold a list of their customers as waste paper, the merchant has a perfect legal right to sell such information to a rival company. One cannot rely on the provision of the Copyright Act and, even if one could, what would one achieve suing for damages once the information is in the hands of competitors, the media or whoever? One can argue, of course, that a legally drawn up agreement between a company and a waste paper merchant should suffice, but in practice such agreements has little use. To ensure compliance with the agreement could mean following the collected data and then watching it being destroyed. Should the data fall into the 'wrong hands' it would be hard to refute that the fault was within one's own organisation. One may be able to prove that the merchant had passed on the information and that damage has been caused to your company. Although the court may award some damages how does one keep one's customer's confidence? Most companies would not know, of course, that their security had been breached. The probable action by a commercial rival would be to keep quiet whilst taking over your commercial customers. The company at the initial stages blame their own marketing strategy and by the time they realise that there was a leak 'in house' it would probably be too late. Should management believe that there was a breach of security within their company and carry out an investigation, the morale of the employees could spiral downwards leading to

lack of motivation and falling output. Waste paper merchants are not conscious of security and in the main are open to receive waste paper from the general public. There is no division between data collected from a commercial company or that of any passer by. These facts could have serious implications as many companies sell their computer print outs to waste paper merchants for their company's benefit. Can this practice be continued safety or should such companies be looking at a specialised company for the disposal and destruction of their confidential data? The only real solution is to ensure that all waste paper and other media be destroyed under secure conditions. This means that the data must:- a. Be shredded or incinerated in house. b. Sent to a vetted security shredding company. The cost of in house shredding or incineration can be expensive, although such costs are often hidden. It will involve the capital outlay to purchase the shredders, and the cost of staff in carrying out this operation, which tends to be dirty and noisy. Once installed, this operation is slow and labour intensive and one has to realise that by shredding one increases the volume of paper by up to twenty times. One can, of course, use a small office shredder but this is only capable to dealing with small quantities of paper. This disposal of magnetic media would have to be dealt with separately by specialists. Forwarding data for shredding to a shredding company does of course cost money but one must compare this wi th : - a. The cost of in-house shredding. b. The income that could be received from the sale of paper

to a waste paper merchant. c. The problem that can arise should your data fall into your

competitors' hands. Security shredding companies either:- a. Leave security sacks to be filled then collected. b. Supply purpose designed Iockable bins which are fitted

internally with a non returnable flap. Once 'posted' this does not allow data to be retrieved by cleaners, security guards, and other service personnel. The business ethics of firms involved in this industry vary enormously and I strongly recommend that potential customers of such companies should personally visit at their site. Insist upon the following criteria:-

a. The shredding company should be specialists in the disposal and destruction of data, not waste paper merchants.

The shredding should be carried out in a secure area. The premises should not be open to the general public. The premises should be controlled by security personnel and closed circuit television. The data should be randomly shredded so that recognition is impossible.

The company should belong to a professionally recognised organisation. A Certificate of Destruction should be issued. The company should be backed by an insurance indemnity.

b. C.

d.

e.

f.

g. h.

75

i. The shredding company should be able to assist with security of your data.

The object of the exercise is to have a destruction process which contains elements to confound the possibilities of data identification and reconstruction from the shredding. The data should be disposed of on the day received and no work should be sub-contracted out. Random cut shredding which reduces the material to indecipherable, confetti like shapes, is much more secure than conventional strip type shredding. It is only then that material

can be recycled in a secure manner - an important consideration in today's ecologically minded environment. The above information is only a guide; it is up to each individual company to ensure that correct standards of security are implemented when entrusting their own confidential documents to be destroyed.

Michael Bowles Managing Director Data Disposal Ltd.

For further information contact Michael Bowles Tel. 081 556 5608.

BOOK REVIEW

INFORMATION SECURITY Managing Information Security - A Non-technical Management Guide, by Ken Wong and Steve Watt 1990 (Elsevier Advance Technology & Computer Weekly Publications, 327pp) UK £85.00/US $153.00 ISBN: 0-946395-63-2. Ken Wong, a noted international expert on computer crime and Steve Watt of Alkemi have teamed up to produce a very concise and succinct managers guide to computer security. Managing Information Security is written in a very non- technical manner, making it easy for the non-technical manager to understand. The book looks at the key issues in information technology (IT) security including the legal aspects, PC's, risk assessment, communications security, creating and testing disaster recovery plans and people. The chapter entitled, "People - Asset or Liability," is an excellent look at what could be your greatest security asset or your greatest security risk - your people. The authors use an interesting example to show how easy it is to get by security guards. They tell of an instance where Mr. Wong was, in one case, just handed a pass and told to just go up to the destination floor. Mr. Wong noted he could have gone anywhere he wanted to with the pass. Throughout the book the authors illustrate their points with actual cases that have occurred all over the world.

With the great number of cases in the book it is easy to go back to management with actual documented proof that this or that could happen. Management sometimes thinks, "Oh, this will never happen here." With Managing Information Security you can show management actual cases. Managing Information Security does not just talk of problems; it offers solutions: not just one or two solutions, but a number of them so you can select the one that is best for your organization. The book is one of the most complete overviews of the current issues and trends in computer security, including discussion on EDI, OSI and Unix security that I have come across. This book should be on the shelf of every information technology executive. Available in the UK from: Elsevier Advance Technology, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, Telephone: 0865-512242, Fax: 0865-310981, Telex: 837966; or, Computer Weekly Publications, Quadrant House, The Quadrant, Sutton, Surrey SM2 5AS, Telephone 081-661-3099.

Bernard P. Zajac, Jr 1

1Copyright (c) 1991, Bernard P. Zajac, Jr.

NEW REPORT CORRESPONDENT CLSR is pleased to welcome Hans Nilsson to the panel of the Report: "Mr Nilsson is a lawyer in the Directorate of Legal Affairs at the Council of Europe, Strasbourg, France. He holds a law degree from Uppsala University in Sweden. He has worked as a law clerk at a District Court and a judge at the Court of Appeal in J6nk6ping, Sweden before entering private practice with the Erik Berglund law firm in Stockholm where he handled computer law, international law and arbitration

law. He joined the Council of Europe in 1986 and was Secretary to the Select Committee of Experts which prepared the Council of Europe Report, published in 1990. He is appointed expert by the Swedish Government in the Criminal Law Reform Commission which is currently studying reforms of the Criminal Code and the Code of Criminal Procedure in view of new technological developments. He has organized and participated in several international meetings on computer crime and information security."

76