When you are selecting a data destruction services provider or partner, you have two critical objectives:
- prevent a data breach.
- gather verification that 100% of the data was destroyed.
To help you satisfy both goals (and rest easy), we’ve put together this handy “How to select a gold-standard data destruction provider” checklist. With this list in hand, your data destruction provider is providing you with the services you need and a supported, defensible Certificate of Data Destruction. Just in case you need it.
Checklist for selecting a gold-standard data destruction provider (and protecting your company)NAID AAA Certification. Organizations with this certification have completed and complied with the rigor of data privacy laws and methods. They are trained and verified data destruction experts
Onsite data destruction. Eliminate the risk of data (and device) loss in-transit.
Reporting. This is a complete set of verification documenting each device, data destruction method, details resulting from the audit, item serial # scan, inventory validation and reconciliation, chain of custody and any specialized compliance reports.
Certificate of Data Destruction.
Same day certification. Before your vendor leaves the site (whether it’s a one-day or multi-day data destruction project), you should have a digital Certificate of Destruction in your hands. Full reporting and verification (including links to download video) should be in your possession within a week of the job completion. Review all documents to ensure that everything you’ve agreed to is included
Chain of Custody. Many regulations govern custodial history of assets and that includes the data. You’ll want full documentation of any transfer of materials for destruction (specific location and date), the date the information was collected, the date the information ceased to exist, and custodial names at each stage.
Erasure verification. The software used for data sanitization tracks and records the end-to-end process of each and every operation. The tracking and verification data should be included with the reporting and certificate of data destruction and contain the following details:
- Report ID
- Client name
- Equipment brand and model
- Equipment serial number
- HDD Size
- Model and serial numbers for the HDDs
- Disk sanitizing method
- Number of passes performed
- Number of bad sectors
Trained, bonded, vetted technicians. The techs doing the shred, erasure, auditing are touching your equipment and have access to your data – even if it’s for a minute. Be sure that they’ve been securely screened and bonded for your protection.
Insurance Your data destruction provider should be insured properly to protect you in worst case scenarios.
Consistency. From both the legal perspective and the (deep sigh) hassle, a harmonized Certificate of Destruction with consistent verification reporting makes tracking end of life assets far easier to manage. For multi-facility, multi-country enterprises, a national provider of data destruction can work with you, your ITAD, VAR or service provider to ensure a consistent and high quality documentation approach — no matter where the data destruction services take place.
Packing, shipping and logistics. The last step in any data destruction process is the removal and transport of the asset of destroyed hardware. Be sure your vendor has the experience and knowledge to transport whatever it is — recycling or redeployment — properly, safely and securely to its next destination.
Help is right here
Don’t risk your company’s reputation or the business itself by placing your hard-earned data in the hands of an unqualified provider.
Your ITAD, VAR or even head of data security should work with you to develop the right criteria for selecting the right data destruction vendor to meet your standard. And advise you on a best practices plan to ensure that the data is destroyed so that you can rest easy.
If you need help, talk to us. Without obligation. We’re happy to give you a quick evaluation of your data destruction challenges. And, we can refer you to a VAR or ITAD if you need one.