This message was posted by a user wishing to remain anonymous
How do you manage destruction of physical devices that contain or contained sensitive information?
Original Message:
Sent: 12-04-2023 03:17 PM
From: Anonymous Member
Subject: Document destruction vendors
This message was posted by a user wishing to remain anonymous
Our organization rates our document shredding vendor as residually low risk. We mitigate the inherent high risk by having our employees physically present when the vendor empties the shred containers. Our staff then supervises the instant, on-site shredding process, which basically turns the documents into confetti. Our documents are never left unattended in their whole form. The shredding trucks are equipped with video cameras to live-view the destruction of all documents.
The vendor provides a standard due diligence packet that typically includes NAID certificates, insurance certificates, etc.
Original Message:
Sent: 12-04-2023 12:20 PM
From: Anonymous Member
Subject: Document destruction vendors
This message was posted by a user wishing to remain anonymous
How do you risk classify document destruction vendors?<o:p></o:p>
In the past we have classified them as low risk, but recently we decided to classify any vendor with access to Process, Store, Manage, View/Add/modify, Transport, Disposable of, Transmit NPPI as high risk.
Does anybody else classify document destruction vendors as high risk? What level of due diligence do you perform?<o:p></o:p>
looking forward to any comments.