Classification Breakdown: Match Your Data to its Destruction Method

In the age of social media, it’s pretty standard for many people to put their entire lives online. Whether it’s someone spilling their secrets over podcasts, vlogs and blogs or sharing too much about their assets and wealth on Instagram, much is shared online.

However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially pertaining to national security. So let’s break down all the different levels of information and the varying security classifications applied to identify and safeguard this information correctly.

Top Secret information (TS)

Top secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.

When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to destroy this information securely? To ensure the highest security data destruction, the federal government requires that classified data be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. 

Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA-listed paper shreddersdisintegratorsdegaussers and IT crushers is fully equipped to securely destroy all of your end-of-life data.

Sensitive Compartmented Information (SCI) and Special Access Program (SAP)

Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a TS clearance. This information ranges from intelligence sources and methods to analytical processing, targeting and information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL-listed devices.

Communication Security (COMSEC)

Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security and the physical security of COMSEC material.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies and regulations.

Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.

Personally Identifiable Information (PII)

Personally identifiable information (PII) is any information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.

The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs and other specific information are all personally identifiable.

While data breaches should always be taken seriously, a breach of this kind of information can put exposed people at an extremely high risk of identity theft and fraud. Take, for example, the recent security breach at the financial institution Morgan Stanley. The incidents, which have occurred over four years, were caused by an ITAD (IT asset disposition) vendor misplacing disparate computer equipment used to store customers’ PII. 

Personal Health Information (PHI)

Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.

PHI is an umbrella term given to any health information dated, received, transmitted or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates concerning healthcare operations and payment. This information ranges from social security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so they should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.

Whether you’re looking to destroy personally identifiable, controlled, unclassified or top secret information, it is always best practice to follow data sanitization mandates. SEM has an array of high-quality end-of-life data destruction devices that meet NSA/CSS specifications, are on the NSA/CSS Evaluated Products List and follow the Controlled Unclassified Information (CUI) Executive Order.

Any one of our exceptional sales team members is more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.

Brought to You by

What’s Hot on Infosecurity Magazine?