Data / Info classified according to its value and level of sensitivity.
The appropriate level of security can be applied.
Process should be:
Easy to Apply
Public / Unclassified - No harm if disclosed.
Confidential - Limited harm if disclosed.
Secret - Grave harm if disclosed.
Proprietary - Limited to internal use only. Restricted externally.
Private - Information regarding people.
Classification terms and labeling is determined by the organization.
PII - Personally Identifiable Information
Data that identifies or is traceable to a specific individual.
Name, SSN, Bio, Address
PHI - Protected (or Personal) Health Information
HIPAA, "any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" that can be linked to a specific individual."
US Federal Rules of Civil Procedure (FRCP)
Keep information for only as long as you need it and no longer.
Set in a Data Protection Policy
Properly disposing of data and associated hardware.
Trusting third parties for destruction.
Observe destruction process.
Transportation to destruction facility.
Use of media after destruction.
Best practice is to combine methods.
Burning - Use of heat or fire.
Not environmentally friendly.
Shredding - Reduces the size of objects with the intent of making them no longer usable.
Items may still be re-assembled.
Pulping - Reduces paper to liquid slurry.
Can be safely recycled.
Pulverizing - Using hydraulic or pneumatic action to reduce the materials to loose fibers and shards.
Degaussing - Using a large magnet to remove data from magnetic storage media such as hard drives and magnetic tapes.
Purging - Removing files and all traces of data.
Wiping - Overwriting data.
Data is replaced and then removed.