The 4 Steps for Compliant Data Destruction
Complying with data privacy legislation requires four basic steps. The first, and most important step in the process, is retaining possession of the media until the data has been securely removed or destroyed. Steps 2 through 3 are properly inventorying the media by serial number, destroying the media and obtaining a Certificate of Destruction from your vendor.
Step #1: On-site so you can Witness and Verify.
Hard drives, SSDs and/or backup tapes are moved from your data center to our shredding truck for processing. This practice allows you to witness and verify that drives have been recorded and truly been destroyed.
Step #2: Inventory Media for Documentation
Hard drives pulled from servers, storage arrays and computers are staged into our scanning area. Once collected, drives are scanned and inventoried for a detailed Certificate of Destruction report.
NIST 800-88 requirements go a step beyond capturing the hard drive serial number. Compliance with NIST requires linking the hard drive to the associated computer. See details below in the Certificate of Destruction Report.
Step #3 Physically Destroy Drives.
Hard drives are then destroyed at a rate of 1,000 PC drives per hour. Physically destroying hard drives for data destruction satisfies NIST 800-88 and all other data privacy laws such as HIPAA.
Step #4: Certificate of Destruction
Our Certificate of Destruction details quantity and type of digital destroyed, serial number, location, and company personnel that witness the process.
NIST 800-88 Certificate of Destruction report requires, among other details, a link between the hard drive being destroyed and the computer from which is resided. This information includes the make and model of the hard drive as well as the source computer.
Data Destruction Process Summary
In summary, a secure data destruction process should follow the four steps above. The key point here is that your data destruction vendor has allowed you to witness and verify that your hard drives truly been destroyed. The unbroken chain-of-custody should give your company confidence that confidential information will not be compromised.