CCTM IA CLAIMS DOCUMENT (ICD) Data Eliminate Ltd



Similar documents
Secure Mobile Shredding and. Solutions

How To Destroy Data From A Hard Drive

OUR SERVICES... SUPPLY CHAIN SERVICES ONSITE SERVICES IT RECYCLING SERVICES

Fujitsu Asset Lifecycle Management Services

CD ROM, Inc Commercial Catalog. Destruction and Recycling Services

Destruction and Disposal of Sensitive Data

INFORMATION TECHNOLOGY EQUIPMENT PROCUREMENT AND DISPOSAL POLICY

NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE NSA/CSS POLICY MANUAL Issue Date: 15 December 2014 Revised:

UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2008

CPA SECURITY CHARACTERISTIC DATA SANITISATION - FLASH BASED STORAGE

Other terms are defined in the Providence Privacy and Security Glossary

Information Technology Services Guidelines

IT ASSET DISPOSAL ISO ISO Registered Environmental Management. ISO 9001 Registered Quality Management

Asset Management Ireland (AMI) The secure IT Asset Disposal Company that generates revenue for your business

Protecting Data in Decommissioned IT Assets: Factors, Tools and Methods

IT Trading UK Ltd Computer & IT Equipment Disposal Specialists

University of Liverpool

Form #57, Revision #4 Date 7/15/2015 Data Destruction and Sanitation Program. Mobile (ON-SITE) Data Destruction/Shredding Services

CITY UNIVERSITY OF HONG KONG. Information Classification and

No More Disks. No More Data. No More Doubt. Goodbye Disks. Goodbye Doubt.

SOAS Controlled Procedure CP-PP06 IT Asset Management Procedure

NHS Information Governance:

Policy for the Re-use and Disposal of Computers, other IT Equipment and Data Storage Media

UMBC POLICY ON ELECTRONIC MEDIA DISPOSAL UMBC# X

Walton Centre. Asset Management. Information Security Management System: SS 03: Asset Management Page 1. Version: 1.

Challenges and Solutions for Effective SSD Data Erasure

SCANNING STORAGE SHREDDING WORKFLOW IT RECYCLING.

STANDARD 3-8 WORKING DAYS

BACKUP SECURITY GUIDELINE

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Life Cycle of Records

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Information Security Plan effective March 1, 2010

Grasmere Primary School Asset Management Policy

Information Governance Policy (incorporating IM&T Security)

Guidelines on Digital Forensic Procedures for OLAF Staff

Samsung WEEE Management Policy (US and Canada)

ECONOMY WORKING DAYS STANDARD 3-8 WORKING DAYS

Understanding Data Destruction and How to Properly Protect Your Business

HIPAA Training for Hospice Staff and Volunteers

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

SECURITY POLICY REMOTE WORKING

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

Portable Devices and Removable Media Acceptable Use Policy v1.0

document destruction Our passion.

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Technical Reference Document Summary of NIST Special Publication : Guidelines for Media Sanitization

The guidance applies to all records, regardless of the medium in which they are held, including , spreadsheets, databases and paper files.

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

That s why outsourcing using a Qualified Contractor is the best solution to the problem of assuring a compliant hard drive destruction audit trail.

This article first appeared in the International Technology Law Association s ebulletin, Volume 2, Issue 3, summer 2008.

ABERDARE COMMUNITY SCHOOL

MEDIA AND IT ASSET DISPOSITION: YOUR GUIDE TO SELECTING A SUPPLIER

Version 1.0. Ratified By

Approved By: Agency Name Management

Guidance on Personal Data Erasure and Anonymisation 1

Information Technology Acceptable Usage Policy

الدكتور عادل إسماعيل العلوي الجامعة الملكية للبنات البحرين نائب رئيس الجمعية الدولية لضبط ومراقبة نظم المعلومات

Information Technology Policy and Procedures

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

CloudDesk - Security in the Cloud INFORMATION

About this Tool Information Security for Residents...

Electronic Data Retention and Preservation Policy 1

University of Liverpool

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Information retention and disposal guide. Date: 31 October 2014 Version: 2.0

28400 POLICY IT SECURITY MANAGEMENT

How To Protect School Data From Harm

Mobile Phone Device Policy

Credit Card Processing and Security Policy

SECURITY POLICIES AND PROCEDURES

Network Security Policy

Media Disposition and Sanitation Procedure

Shredding. Security. Recycling

Course: Information Security Management in e-governance

Angard Acceptable Use Policy

PCI Data Security and Classification Standards Summary

Enterprise Information Security Procedures

Solid-State Drives with Self-Encryption: Solidly Secure

Scotland s Commissioner for Children and Young People Records Management Policy

HIPAA Training for Staff and Volunteers

Defense Logistics Agency. Turn-in Guidance for Disposition of Unclassified Computer Hard Drives

Data Security Policy

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Policy Document. Communications and Operation Management Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

The nation s largest privately held records and information management company

Industry Security Notice

A guide to our recycling And waste management services

Encryption Policy Version 3.0

October 2015 Issue No: 1.1. Security Procedures Windows Server 2012 Hyper-V

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy

2.2 Access to ICT resources at the Belfast Metropolitan College is a privilege, not a right, and all users must act honestly and responsibly.

Remote Working and Portable Devices Policy

Secure Data Destruction

IT Heath Check Scoping guidance ALPHA DRAFT

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Transcription:

CCTM IA CLAIMS DOCUMENT (ICD) Data Eliminate Ltd DESTRUCTION OF DATA ON HARD DRIVES, COMPUTER STORAGE MEDIA AND HANDHELD DEVICES INCORPORATING WEEE RECYCLING MANAGEMENT Version 1 VENDOR DETAILS Data Eliminate Ltd 107 Fleet Street, London EC4A 2AB TEST LABORATORY DETAILS SiVenture Unit 6, Cordwallis Park Clivemont Road Maidenhead Berks SL6 7BU Telephone Number: 0845-1234400 Telephone Number: 01628 651360 Email: info@dataeliminate.com Website: www.secure-data-destruction.co.uk Email: john.walker@siventure.com Website: www.siventure.com CCTM Application Reference Number V032/0003 CCTM Maintenance Application only ICD Reference Number NA ONY2-CD-0002 ICD Version Number 1.3 ICD Date 15 April 2011 ICD Author Julian Fraser CONTACT POINT FOR TECHNICAL QUERIES ON THE ICD: Contact Name: Julian Fraser Contact Email Address: info@dataeliminate.com

Telephone Number: 0845-1234400 CERTIFICATE DETAILS The table will be on the front cover of the Final ICD when this is published on the CCTM Website CCTM Certificate Number 2011/04/0096 CCTM Awarded on 05 May 2011 CCTM Award Expires on 04 May 2012 ICD Issue Date 05 May 2011

TABLE OF CONTENTS 1 INTRODUCTION... 4 1.1 Background... 4 1.2 Objectives... 4 1.3 Purpose of Document... 4 1.4 Structure... 4 2 IS SERVICE DESCRIPTION... 5 2.1 Service Identification... 5 2.2 Service Overview... 5 2.3 Usage assumptions... 7 3 CCTM CLAIMS FOR THE IS PRODUCT OR SERVICE... 8 3.1 Claims Statements... 8 3.2 Existing assurance certificates... 9 3.3 Test Approach... Error! Bookmark not defined. 15 April 2011 Version 1-3 Page 3 of 11

1 INTRODUCTION 1.1 Background This document outlines the IA claims made by Data Eliminate Limited in regard to the suitability of Secure Destruction of Data on Harddrives, Computer Storage Media and Handheld Devices Incorporating WEEE Recycling Management for use by the UK Public Sector and other users for ensuring data has been securely destroyed on end of life computer and data storage equipment. Data Eliminate helps customers to meet those challenges. The service incorporates a selection of destruction methods including magnetic media degaussing, physical destruction by shredding and secure data overwriting. 1.2 Objectives The objectives of this document are to enable testing and verification under the CCT Mark scheme. 1.3 Purpose of Document 1.3.1 This document is the ICD for Secure Destruction of Data on Harddrives, Computer Storage Media and Handheld Devices Incorporating WEEE Recycling Management 1.3.2 This ICD is the baseline document for the CCTM Claims Test of Secure Destruction of Data on Harddrives, Computer Storage Media and Handheld Devices Incorporating WEEE Recycling Management. 1.4 Structure The structure of this ICD is as follows: Section 1 (this section) contains the introductory material. Section 2 contains the description of functionality of Secure Destruction of Data on Harddrives, Computer Storage Media and Handheld Devices Incorporating WEEE Recycling Management and all the information related to the security of Secure Destruction of Data on Harddrives, Computer Storage Media and Handheld Devices Incorporating WEEE Recycling Management. Section 3 details the security functionality claims that are being made. 15 April 2011 Version 1-3 Page 4 of 11

2 IS SERVICE DESCRIPTION 2.1 Service Identification Product or Service Name: Secure Destruction of Data on Harddrives, Computer Storage Media and Handheld Devices Incorporating WEEE Recycling Management Version: 1 Period of Assessment: January 2011 December 2011 2.2 Service Overview Clients may select from a list of service options including: Degaussing of hard disk drives and magnetic media such as data tape using products that are certified by CESG under IS(5) at the lower level and are considered capable of purging data up to and including IL3 (Restricted). Physical destruction by shredding of all media. This includes media such as hard disks, data tapes, CDs and DVDs, and handheld devices such as PDAs and mobile phones. Data Overwriting using software certified by CESG under Infosec Standard 5 at the higher level (customers should refer to the latest version of IS5 for details of how higher level overwriting products may be used to destroy data at IL3 and above). Blancco or Kroll overwriting products are used. It should be noted that under the CCTM scheme, data at IL4 and above is considered out of scope and that sanitisation of data is only valid for data up to and including IL3. On-site or off-site destruction. The client can choose to have on-site destruction at their own location or have classified material securely transported to Data Eliminate s secure destruction facility. Data Eliminate provides secure transport of media and of residue/waste after destruction as necessary. The recording of the details of processed data storage items for audit and asset tracking purposes. Details recorded can include but are not limited to serial number, make, model and asset number. A WEEE compliant disposal service of data storage media and other computer and electronic equipment. The process followed is below: 15 April 2011 Version 1-3 Page 5 of 11

1. Clients will contact Data Eliminate to procure The Service. The client s requirements and best practice as per IS5 will determine the appropriate service option(s). 2. Where degaussing is required by the client, Data Eliminate will deploy an engineer to the customer s premises with degaussing equipment. The degausser is certified as compliant with the lower degaussing standard and therefore is deemed to be capable of purging data classified up to and including IL3 (restricted). 3. Where physical destruction is required by the client, Data Eliminate will deploy equipment that is capable of destroying data protectively marked up to IL2 (protect). If data at IL3 is to be destroyed, it is necessary to combine physical destruction with the overwriting and/or degaussing service options. 4. Where WEEE recycling is required by the client, Data Eliminate engineer(s) will remove waste and residue from the destruction location. Such waste will be handled and disposed of in line with WEEE Directive. After disposal, a Waste Transfer Note or Hazardous Waste Consignment Note will be issued to the client. 5. At the time of service provision or shortly afterwards, Data Eliminate will provide the client with a certificate of data destruction. This certificate will record job execution date, the name of the senior engineer present, the name of the client s witness and details of items processed including serial number, make, model and asset number as required by the client. The certificate provides an audit record and proof of compliance as may be required by the client. 2.2.1 Security architecture Not applicable 2.2.2 Hardware requirements The service uses a mobile degausser. The type used is made by Verity Systems Ltd and the model is SV91 M. 2.2.3 Software requirements Not applicable 2.2.4 Out of Scope The Service is intended to destroy data up to and including IL3 (restricted). Data with a higher impact level is not covered under the CCTM scheme. If shredding of media is selected without prior 15 April 2011 Version 1-3 Page 6 of 11

degaussing or overwriting, then the service is only capable of destroying data up to IL2. Data marked as IL3 must be destroyed by degaussing or overwriting to render the media unclassified. 2.3 Usage assumptions 2.3.1 Assets Hard disk drives (desktop, laptop, server, and solid state based drives) Disks (CD, DVD, Floppy, and zip disks), tapes (DAT, DLT, LTO, Audio, and Video Portable storage devices (memory sticks, memory pens, memory cards, and flash based devices) mobile telephony devices (PDA and Smartphone) 2.3.2 Threat scenario Threats to assets which are countered are the theft, accidental loss or unauthorised disclosure of personal or operational data. 2.3.2.1 Expected operational environment The service can be provided at a location of the client s choosing or at Data Eliminate s secure destruction facility. 2.3.2.2 Organisational security policies The service helps the customer to comply with: HMG Security Policy Framework V1.0 (SPF70) December 2008 Mandatory Requirement 45 Code of Connection for the GSI Soctim Data Handling Guidelines, Nov 2008 Security policies related to ISO 27001 controls Data protection and privacy of personal information. The United States Sarbanes Oxley Act. In addition, users will be able to comply with NHS SyOp 7.13, the Data Protection Act and generally provide protection against identity and data theft. 2.3.2.3 Security requirements on the environment It is the customer s responsibility to provide a secure environment in which the on-site Service can be performed. This should be done in line with their own security policies and procedures. The Service can then be carried out within the secure environment provided by the customer. 15 April 2011 Version 1-3 Page 7 of 11

3 CCTM CLAIMS FOR THE IS PRODUCT OR SERVICE 3.1 Claims Statements Unique Ref Claims statements 1 Data Eliminate Ltd operates an Integrated Management System (IMS) covering Operations within the company s offices, on site and off site secure data destruction services, and the management of recycling of IT equipment. The IMS is independently audited by UKAS certified inspectors, NQA, and incorporates the following international standards: ISO 27001:2005 Information Security Management System ISO 14001:2004 Environmental Management System ISO 9001:2008 Quality Management System 2 Data Eliminate manages the recycling and disposal of WEEE in line with the WEEE Directive and is registered with the Environment Agency as a Licensed Waste Carrier and Broker under Certificate Number CB/XN5315VV. Waste Transfer Notes are provided as appropriate. 3 Data Eliminate provides an Overwriting Service for computer hard drives. The service erases data with a protective marking of RESTRICTED or below using software approved for this purpose by CESG. 4 Data Eliminates provides a Degaussing Service for hard drives and magnetic storage media using equipment approved for this purpose by CESG. The service erases data with a protective marking of RESTRICTED or below in compliance with the CESG Lower Level Degaussing Standard. 5 Data Eliminate provides a vehicle-based mobile Shredding Service which is delivered at the customer s premises (or otherwise as specified by the customer). The vehicle is self-powered and self-contained. 6 The Shredding Service shreds and physically destroys hard disk drives, disks, tapes, portable storage devices and mobile telephony devices to ensure that each item is inoperable and destroyed using commercial best practice. The Shredding Service must be used in conjunction with degaussing and/or overwriting to reduce data protectively marked as IL3 to unclassified. 7 Data Eliminate staff count and record the data storage items identified for processing before destruction begins. The client can witness the entire process including counting, recording and destruction. 8 The data destruction services are available at a location specified by the customer (on-site) or at Data Eliminate s own secure facility (off-site). 9 The customer is provided with a certificate of data destruction at the time of destruction or shortly afterwards. This provides details of the media destroyed including media type and serial number (where available), date destroyed, by whom it is destroyed and by whom the destruction process is witnessed. 15 April 2011 Version 1-3 Page 8 of 11

Unique Ref Claims statements 10 Data Eliminate will provide secure transport of all media and equipment between sites as required. This transport is approved for carrying material up to and including IL3. 11 Data Eliminate will use staff who are at a minimum BPSS cleared, and deemed capable of handling IL3 material. Staff are fully trained in the use of the equipment. 3.2 Existing assurance certificates The Verity SV9IM degaussing unit used in this service for data destruction complies with the CESG Lower Level Degaussing standard [CESG]. This was originally approved against the SEAP 8500 degaussing standard. Under S(E)N 06/09, degaussers which have been certified as meeting SEAP 8500 will automatically be considered to meet the CESG lower level degaussing standard. See the CESG website for further information: (http://www.cesg.gov.uk/find_a/cert_products/index.cfm?menuselected=1& displaypage=152&id=287 ) Blancco 4.8 HMG is approved at both Lower and Higher Overwriting Standards (refer to HMG Infosec Standard 5). Blancco 4.8 HMG is approved for UK Government use. http://www.cesg.gov.uk/find_a/cert_products/index.cfm?menuselected=1&d isplaypage=152&id=442 Kroll Ontrack Eraser Version 3.0 is approved at the Lower Level and the Higher Level Overwriting Standards (refer to HMG Infosec Standard 5). http://www.cesg.gov.uk/find_a/cert_products/index.cfm?menuselected=1&d isplaypage=152&id=424 15 April 2011 Version 1-3 Page 9 of 11

ANNEX A GLOSSARY OF TERMS Term CCT Mark CD CESG DVD EU HDD HMG IA IL IS IT lcd LTO NHS PDA SDLT SEAP UK WEEE Meaning CESG Claims Tested Mark Compact Disk Communications-Electronics Security Group Digital Versatile Disk European Union Hard Disk Drive Her Majesty s Government Information Assurance Impact Level InfoSec Standard Information Technology Information Assurance Claims Document Linear tape open (magnetic tape media) National Health Service Personal Digital Assistant Super Digital Linear Tape Security Equipment Assessment Panel United Kingdom EU directive on Waste Electrical and Electronic Equipment 15 April 2011 Version 1-3 Page 10 of 11

ANNEX B MARKETING STATEMENT TO BE USED (IF THE CLAIM IS SUCCESSFUL) The service provides a secure and convenient way for public sector organisations to destroy data held on hard drives and storage media and meet their obligations under: The Security Policy Framework Mandatory Requirement 45 Secure Disposal for IT Equipment, The Code of Connection (CoCo for Local Authorities), UK and EU Data Protection Legislation including the Data Protection Act. Service features and options include: On-site and off-site service provision Shredding, degaussing of magnetic media or secure overwriting Environmental recycling of media and IT equipment Serial numbered asset-tracking Destruction Certificates and Waste Transfer Notes Data Eliminate Ltd operates an Integrated Management System (IMS) independently audited by UKAS certified inspectors incorporating: ISO 27001:2005 Information Security Management System ISO 14001:2004 Environmental Management System ISO 9001:2008 Quality Management System For this CCT Mark Service no security claims are made for media marked at IL4 or above. **End of Document** 15 April 2011 Version 1-3 Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information