LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Shredding
From:	David Gaynon <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Wed, 4 Mar 2009 09:41:07 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (23 lines)

I would suggest that in looking at your shredding process you do not limit your focus to the disposal of your shredded material and to the type of shredding being performed. It may be useful to look at the administrative controls you have throughout -- from pickup to final disposition. And as others pointed out this should be done from the perspective of a risk based analysis; asking what is the consequence of data breaches and how much effort and resources do you wish to expend to prevent them.

Some questions to consider

1. What is the consequence of a data breach. Could this information be used for identify theft? Might it create other serious issues?
2. If you are using an external vendor -- are your records ever left in the truck unattended while they are doing pickups from other customers? Is the truck kept locked? Is the truck alarmed? When you walk into your parking lot do you ever see an open truck with no driver present?
3. What controls do you have to ensure that all of your boxes are destroyed? Many vendors track from pickup and/or warehouse but do not track from destruction facility.
4. When vendor notifies you that your boxes are destroyed (certificate of destruction) what does that mean? Are they certifying that the boxes have been destroyed or that they have been delivered to a destruction facility where such records are typically destroyed in X days.
5. Does you vendor have security controls on all doors and exits? Do warehouse employees keep doors open on hot summer days?
6. Is video surveillance available for all doors and entrances
7. What happens if the destruction facility is broken into? Will the police be automatically notified? Will you be notified?

Is all of this necessary? Maybe not, it depends on how much risk you are trying to mitigate and your organizational risk profile (that is how much risk your organization wishes to assume).

David Gaynon
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US