S 2.436 Destruction of data media by external service providers

Initiation responsibility: IT Security Officer, Top Management, Data Protection Officer

Implementation responsibility: Head of Organisation

If external service providers are contracted for the destruction of data media, then detailed procedures must be specified (see safeguard S 2.253 Contractual arrangements with the outsourcing service provider, for example). Even when these tasks are outsourced, some internal rules and regulations will still be necessary, for example the specification of how the data media will be collected and stored until they are picked up by the service provider. In the DIN SPEC 66399:2012 Part 3 "Process for destruction of data carriers" standard, criteria for the integration of service providers are defined. In many cases, the service provider for the destruction is also contracted for the transportation of data media that have already been destroyed or also for the transportation of data media that have not been destroyed yet with the objective of destroying and recycling them subsequently. In this respect, the respectively applicable statutory provisions must be observed.

Security of the customer

The data media to be destroyed must be protected against unauthorised access until they are picked up. Containers can be placed at various locations in an organisation to collect the data media, for example, in which case the containers must be secured so that the data media cannot be removed again. Such collection containers are particularly interesting for attackers because they contain concentrated collections of sensitive information. Under no circumstances should numerous containers be placed in locations accessible to the general public. However, the collection container locations selected should be close to the workplace so that employees do not store the data media to be destroyed insecurely, for example in their desk drawers, before handing them over for collection (see also S 2.13 Correct disposal of resources requiring protection). If the employees are involved in the selection of suitable locations for the collection containers, then there is generally more acceptance among the employees.

In addition, the transportation and destruction must be adequately secure. Contractual agreements must be made with the service provider to ensure this (see the sample contract for the disposal of data media in the "Resources for IT-Grundschutz" available on the BSI web site). Regular checks must be conducted to ensure that these rules are actually being followed.

Security during transport

It must be ensured that the data media to be destroyed are only handed over to those persons contracted for transportation. For this purpose, the organisation should name the people who have been instructed in the disposal process and who can monitor the process to ensure that it is carried out correctly. The persons transporting the data media must be able to provide identification so that the confidential data collected is not given to unauthorised persons. The transfer of the data media by the transport personnel must be confirmed in writing when receiving the data media as well as when delivering them to the service provider. It must be guaranteed along the entire transportation route that only authorised persons will transport the material. Neither the employees of the transportation company nor any other persons should be able to access the material anywhere along the entire transportation route. Locked or sealed containers could be used for this purpose, for example.

Security of the service provider

The disposal service provider must have a functioning security process so that the data media to be destroyed are reliably made unreadable and no unauthorised persons can obtain information from them. The service provider must have a current and traceable data protection and security concept. General requirements for service providers and their employees are described in S 2.252 Choice of a suitable outsourcing service provider.

Upon delivery, the goods transported should be checked for completeness, i.e. the number of containers and the weight of each container should be checked. The material to be disposed of is usually first placed in temporary storage when it arrives at the service provider. It must be ensured here that the storage location has a functioning access control system so that unauthorised persons cannot gain access to the data media to be destroyed or to the devices used for destruction.

The devices and tools used for the destruction of data media may only be operated by employees who have been trained in their operation.

Review questions:

• Are the data media to be destroyed securely protected against unauthorised access until they are picked up?
• Has the organisation appointed and instructed people to monitor the disposal process?
• Does the organisation regularly check the disposal process?
• Is the collection and transportation of the data media to be destroyed adequately secure?
• Is the security process of the disposal service provider reliable, traceable and sufficient to meet the protection requirements of the data media to be destroyed?