Data Labeling, Handling, and Disposal – CompTIA Security+ SY0-401: 2.6

What happens when you need to get rid of data? In this video, you’ll find that the handling and disposal of data can be a relatively complex issue.

<< Previous Video: Information ClassificationNext: Compliance Best Practices and Standards >>

If you walk around an organization, you’ll see DVD-ROMs, CD-ROMs, even floppy disks that have been thrown into a box, put in a corner, they’re stored somewhere for later. But that information that’s on those different pieces of media probably has some important company details on it. It certainly could, but you’re never quite certain unless you’ve gone through the extra step of making sure that you label and catalog everything that’s on there.

This data tends to stick around for a very, very long time. And if you happen accidentally throw something out and somebody goes through the garbage and notices there’s a CD-ROM. And they find on that CD-ROM, there’s a lot of private company information, there could be a problem there. And Unfortunately these things happen a lot.

You see it in the news, every week it seems, that somebody’s found some private information that they should have not had access to. So you want to keep track of it and document everything. Make sure that you say this particular DVD-ROM or this information that’s on this particular media has this information inside of it. This is confidential information, this is top secret, this is company internal use only. And document those things.

Not just the media you’re using, but think of the backups. All of these backups that you’re putting together and probably sending off site are also documented, and certainly should be labeled. If there is a set of backups that goes missing, you’re going to want to know what was in that backup list. What happened to that cabinet of backups that we sent or that set of disks that we sent off site. You need to understand what the impact of that’s going to be.

The disposal of this information really becomes a bit of a legal issue, especially if the data that you have on this media is extremely sensitive. Sometimes your in a organization where you’re not able to dispose of information. If you’re a government facility, if there’s health care, if there’s legal requirements that are wrapped around that data, you may have to keep it around for a number of years.

And that means you’re going to have to take it off site, you’re going to make sure it’s labeled. If somebody shows up five years from know and says, where’s that information you’re supposed to keep? You’re going to need to go back five years into your vault and into your storage and pull that information out and say, well, I documented this five years ago, so now I can provide it to you very, very quickly, and very, very easily. This becomes a problem when people start throwing things into the garbage.

It’s very easy for people to show up wherever you throw your garbage out outside of your building and rummage through your dumpsters, rummage through your garbage and your trash to try to find information that they can use. It might be security information, it might be privacy information, it might be information about how you do things internally in your organization– that becomes very, very competitive. So you have to be careful about how you dispose of this data. You want to be careful, especially when recycling.

This is something we’ve all gotten on the bandwagon and say, we’re going to recycle all of our loose papers. But you have to keep in mind that this information you are sending off to a recycling organization may have sensitive data on it as well. Make sure your end users understand that if the data is sensitive, we have to first shred all the information. Then it could be sent off to be recycled.