I start security audit with paper shredders, what about you?
Where do you usually start in your security audit?
- Perimeter fence?
- Guard house?
- Guards’ post orders?
- Local ERP (Emergency Response Plan)?
There is no wrong answer.
You may follow different patterns or theories and there is no security standard that says you must start with which item.
I don’t know about you but I always start my security audit with a tour of the premise, be it an office or production site.
In my tour, I always stop by the pantry room or where the office printers are placed, and look through the paper scattered around the printers and thrown in the trash.
Throughout the years, my printer visits have never disappointed me because I almost always found documents containing information of great value or sensitivity to the company there, some lying innocently beside the printers, some scrambled and discarded in the dust bins.
What could be on those papers?
A lot — contact list, vendor list, vendor contract, sales agreement, business memorandum, emails between the sales and customers, lease agreement…
Believe it or not, I once found an intact piece of paper on which there was the detailed itenerary of the visiting CEO of the company including his email address, cell phone number, name of the hotel he will stay in, venue of dinners, and all the big names he was to meet…
I wish I were a commercial spy — the job would be so easy.
That’s why I always start my security audit tour with the printers.
What is missing there is a simple device that not so many companies think necessary -paper shredders.
There is a theory:
If you want to tear up a piece of paper by hand, no matter how hard you try, or how strong you or your hands are, no matter how big the paper is, you cannot tear it up after 8 folds (one tearing after one folding).
Don’t try it now though. Let’s back up a little.
Tearing up a piece of paper by hand is never a good idea, if you seriously want to destroy what’s written on it.
There was an American inventor named Abbot Augustus Low who knew better than that.
In 1909, Mr. Low filed a patent application for his invention of a
“waste-paper receptacle”- That was the prototype paper shredder in human history.
Mr. Low’s invention was even granted the U.S. patent (number 929,960) on August 31, 1909, but was
It was not until 1935 when a German toolmaker named Adolf Ehinger who invented a device in an eager to destroy and make sure his anti-Nazi
documents unreadable if seized by the authorities.
He was successful and later registered a company, EBA Maschinenfabrik, to manufacture the first cross-cut paper shredders in 1959 (EBA Krug & Priester GmbH & Co. in Balingen Germany).
Over time, Ehinger’s shredder, initially used by governments and banks only, got popular for personal use and widely accepted in the business world after the World War II.
There are two standards for paper shredders, namely,DIN 32757andDIN
66399, DIN being the acronym of the Deutsches Institut für Normung eV
or German Institute for Standardization.
You shouldn’t be surprised because the Germans are good at making standards — Think about the Purity Law they have for making beers.
DIN 32757 is the European standard for paper shredder
security. It’s broken up into six different security levels.
Security Level 1:
(10.5mm Strip Cut)
(11.8mm Strip Cut)
(10.5mm x 40–80mm Cross Cut)
Security Level 2:
(3.9mm Strip Cut)
(5.8mm Strip Cut)
(7.5mm x 40–80mm)
Security Level 3:
(1.9mm Strip Cut)
(3.9mm x 30–50mm Cross Cut)
Security Level 4:
(1.9mm x 15mm Cross Cut)
Security Level 5:
(0.78mm x 11mm Cross Cut)
*above picture fromhttps://www.abcoffice.com/office-equipment-news/tag/din-32757/
DIN66399, introduced by the UN in 2012, overrides the previous DIN32757, reclassifying the
old security levels (6 levels) to 7 new security levels ranging from P1 to P7.
The new standard DIN 66399 features 4 shredding patters and 7 levels of security.
- Micro-cut- High level of security-P5/P6
- Hight-security cut- highest level of security — P7
The 7 defined security levels can be classified into 3
So far we’ve been calling the device paper shredder, but strictly speaking, it should not be called paper shredder as it cuts not only paper.
The DIN 66399 standards also specifies 6 data media categories:
P — Information in original size (e.g. paper, films, printed forms)
F — Information in reduced form (e.g. microfilms, transparencies)
O — Optical data media (e.g. CDs, DVDs, Blu-ray discs)
T — Magnetic data media (e.g. floppy disks, cards with magnetic
H — Hard drives with magnetic data media (e.g. from computers and
E — Electronic data media (e.g. flash drives, digital camera memory
cards, bank cards)
*above picture from https://www.the-shredder-warehouse.com/security-level
Below is a simple illustration of the two security standards.
(*chart cannot be displayed. refer to the original article here: http://www.securitymanagers.net/i-start-security-audit-with-paper-shredders/)
*Note: A4size = 210mm x 297mm.
8.5″ x 11″=210mm x 279.4mm.
A4 is slightly different from 8.5×11 letter paper(North America).
What security level do you need?
If you have seen the Oscar-winning movie “Argo”, you may remember what the Iranians were able to do to the classified documents shredded hurriedly in the American embassy — they hired people to reconstruct the strips…
*above pictures fromhttp://lewisperdue.com/archives/4052
Stripe cut is not good enough if the information is of high sensitivity.
How sensitive would be classified as “high”?
It depends on you and your internal definitions of sensitivity.
- level 1 for general data that needs to be made illegible
- level 2 for internal data that needs to be made illegible
- level 3 for confidential data
- level 4 for highly confidential data
- level 5 for secret data
- level 6 for highly secret data
- level 7 for top secret data
Generally, in my experience and understanding, protection class 2 (P3, P4, P5) would be sufficient for most normal business documents, although P3 still produces fine stripes instead of cross-cut particles.
If your company would like to set a high standard to play safe, I recommend P4 or P5.
P1–3 are stripe cuts, easy to be reconstructed, if the perpetrator is serious.
In a nutshell, there is not a set rule that tells you which level of security you need to adopt for your shredders.
A reasonable starting point would be a thorough SVA (security vulnerability assessment) at your facility.
Two gold rules for your decision based on the risks:
1. Do not overreact
2. Do not underestimate
Your comments are welcome.
Originally published at http://www.securitymanagers.net.