S 3.67 Instructing all employees of the methods for deleting or destroying data

Initiation responsibility: IT Security Officer

Implementation responsibility: Supervisor, IT Security Officer

Employees must be informed of which procedures and devices may be used to erase or destroy the various types of data media used in the organisation and what they need to keep in mind when doing this. A policy should be available for this purpose, and information should be published regularly in the Intranet for this purpose as well. Corresponding signs should be posted next to printers, copiers, and shredders as well for this reason. Awareness-raising measures should be conducted throughout the organisation and repeated regularly (see also S2.432 Policies for the deletion and destruction of information). In particular, the employees also need to be informed when the procedures for the deletion or destruction of data media change. It is also important to inform them of typical sources of error. The following misjudgements are examples of such sources of error:

Wastepaper bin in the office

Documents are often not disposed of according to their protection requirements and end up in the normal wastepaper bin instead. When disposing of such documents in a recycling paper bin, it is very easy for unauthorised persons to obtain access to confidential information (see also T 2.48 Inadequate disposal of data media and documents at the home work place). The cause of this problem is that the employees do not know the internal rules for disposal or that they simply ignore them.

Recycling bin of the operating system

Modern operating systems provide users with a so-called "recycling bin" where users can place files to be deleted. Such recycling bins are not only similar to a classic wastepaper bin in name, but also in terms of their graphic depiction and how they are used: files are simply moved to this recycling bin. However, just like with a classic wastepaper bin, these files are not really destroyed immediately and are only stored there temporarily at first. A file can be easily and completely restored when it is accidentally moved to the recycling bin since it is only moved from its original storage location to the recycling bin directory (see also S 4.56 Secure deletion under Windows operating systems).

When the recycling bin is emptied, the data itself is not deleted; instead, only the reference to the information in the "table of contents" of the operating system is deleted. This means that it is always possible to restore this data as long as it has not been overwritten by a subsequent write operation. To ensure that the information cannot be restored, it is necessary to overwrite the information (see S 2.167 Selecting suitable methods for deleting or destroying data).

"Blacking out" pieces of text

Documents that will be disclosed to third parties may contain information in some locations that is not intended for disclosure to the general public. For this reason, this information must be deleted before handing over the documents.

The basic problem in this case is the identification of all sensitive information so that it can be carefully deleted. On the one hand, it is easy to overlook confidential information, and on the other hand, unsuitable methods are sometimes used to redact the text.

For paper documents, sensitive information is often blacked out to make it undecipherable. This is not a reliable procedure, though, because it is still possible in many cases to read the original, redacted text, even on copies of the document. Text is often "blacked out" in electronic documents as well. This method, however, is even more unreliable than in the case of paper documents, and text should never be redacted in electronic documents for this reason (see also T 3.13 Passing on false or internal information).

In general, documents altered in this manner should not be disclosed. If this is unavoidable, then the documents must be reclassified and assigned a lower security level after removing the critical information. Such documents then need to be resubmitted for approval for release.

To avoid repeating the release process, documents should be structured so that non-public content can be easily separated out, for example by placing this content in the appendix.

Visitor areas

All material containing sensitive information must be removed from all areas in an organisation that can be used by outsiders. This must be ensured in visitor areas and meeting rooms in particular, but also in printer or copier rooms accessible to the general public. Any flip chart paper used in meeting rooms should be removed and taken along after finishing a presentation, and any blackboards used should be erased and cleaned as well. Wastepaper bins in such rooms may not be used to dispose of confidential material. Employees should be informed that they are all required to follow these rules and that they should not wait for the cleaning staff or other workers to dispose of such material.

Review questions:

© Federal Office for Information Security. All rights reserved.