Brought to you by IBEC Intelligence
One of the main changes in the updated R2 standard is an emphasis on reuse, then recycling. This was done by emphasizing ways to ensure more secure data erasure can be done, so more items can be reused rather than recycled or destroyed.
If your facility is getting ready to get certified or upgrade to R2v3 you should developed a comprehensive data sanitization plan. SERI sets outs some steps to consider when developing your plan:
Step #1: Identify the types of data storage devices and the related data managed by your facility
Consider all types of electronic devices, components and media managed by your facility and figure out what specific types of devices are capable of storing data, like mobile devices or wearables.
Determine if they contain user data or general information. Pay attention to devices that use network services that could automatically repopulate data on the device.
Step #2: Define all data security and sanitization requirements
Consider all legal and supplier data security and/or sanitization requirements in addition to R2v3 requirements. And identify the required time-frame for completing sanitization from the point of receipt of a data device.
Step #3: Establish the data sanitization processes and procedures
Identify the approved method of sanitization for each data device managed. (logical sanitization or physical destruction). Cleary define the process and procedure for handling and sanitizing each type of device. If using downstream vendors clearly outline their responsibilities.
Step #4: Establish security controls
Establish a secure area for data sanitization, including dedicated locked rooms or partitioned areas with physical barriers; locks and/or monitored electronic access control to restricted areas; security alarms and monitoring systems; etc.
Also make sure to have process controls, including security training & awareness; access authorizations; security monitoring; material handling procedures; etc.
Step #5: Where applicable, develop additional data controls related to Appendix B processes
Clearly identify device tracking, verification of effectiveness of sanitization process and quality controls for data sanitization activities. Define the corrective action process for responding to any issues identified in the sanitization process.
Clearly identify all competency requirements related to performing and verifying data sanitization activities.
Step #6: Develop processes for training on and validating the security and sanitization controls
Make sure all workers trained regularly and verified to be competent on these policies and procedures for data security.
Perform annual internal data security and sanitization audits by a competent and independent auditor to validate the data sanitization processes are effective and conforming to the R2 Standard, legal requirements, and the data sanitization plan.
Do you want to learn more about data sanitization and how to properly take care of it at your facility?