As with any other element of a company’s security programme, effective document security requires a combination of physical security measures, policies and procedures, and personnel. No security programme is complete or effective without some combination of these three security elements.
In today’s environment of information theft, just making sure documents are thrown in the trash is no longer an acceptable security risk. Document collection and destruction must be the cornerstone of effective document security. While some companies may destroy their own documents, for the purposes of this discussion it is assumed a company hires a document destruction contractor to perform that function.
The first phase of a document destruction security plan is to control the exit of documents. In other words, make sure the documents that require destruction actually leave the building to be destroyed rather than in regular waste or even worse in someone’s briefcase.
This is not as easily accomplished as one might think be and may never be foolproof. The first step is to develop written policies and procedures as to what constitutes a document that needs to be destroyed and in what manner the documents are collected to facilitate the destruction. These policies and procedures will certainly vary from company to company.
The second step is to have personnel adhere to and enforce the written policies and procedures. One element of this is training every company employee on how to determine what documents need to be destroyed and how to handle and collect those documents. As with any training, it needs to be ongoing.
Another element is overseeing and enforcing the policies and procedures to make sure they are being followed. In some ways that may seem like a kindergarten-style policy, but the consequences of the information falling into the wrong hands may be so severe that this oversight is the best practice.
The third step is to have physical security measures in place to help facilitate the security of the documents. These measures can include access control systems for the exterior or interior parts of the building to restrict access to documents, CCTV systems for visual identification and verification and burglar alarm systems for after hours.
For even more secure documents, RFID technology can be employed where documents are tagged and alerts are provided if the documents begin to leave the building. Strict enforcement may also include physically checking those that leave for any documents. Any physical security measures in place cannot be used in a vacuum, they require interaction with both policies and procedures and personnel.
The second phase of a document destruction security plan is evaluating and monitoring the security plan of the contractor used to destroy the documents. It would not make any sense to spend the time and money to help ensure that the documents wi (continue reading…)