I start security audit with paper shredders, what about you?

Written by: Flecher Feng, CPP, PSP, CFE

Email: flecherfeng@gmail.com


Where do you usually start in your security audits?

– Perimeter fence?

– Guardhouse?

– IT server room?

– Local ERP (Emergency Response Plan)?

There is no wrong answer.

You may follow different patterns or theories, and no security standard says you must start with which item.

I don’t know about you, but I always start my security audit with a tour of the premise, be it an office or production site.

I always check the office printers and look through the paper scattered around or thrown in the trash.

My printer visits have always satisfied me because I have found numerous documents containing information of great value or sensitivity to the companies. Some documents were lying innocently beside the printers, and others were scrambled and discarded in the dust bins as if they were blank.

What information is on those papers?

A lot. 

Contact lists, vendor lists, vendor contracts, sales agreement, business memorandum, emails between the sales and customers, lease agreement. You name it.

On one of my printer inspections, I got a piece of paper containing the detailed itinerary of the visiting CEO of the company, as well as his private email address, two cell phone numbers, the name of the hotel he will stay in, venues of dinners, and all the big names he was scheduled to meet…

I wish I were a commercial spy — the espionage job would be so easy. 

That’s why I always start my security audit tour with the printers.

What’s missing here is a simple device that only a few companies think necessary –paper shredders.


Have you heard of this theory?

If you want to tear up a piece of paper by hand, no matter how hard you try or how strong you are, no matter how big the paper is, you cannot tear it after eight folds (one tearing after one folding).

Don’t try it now, though. Let’s back up a little.

History

Tearing up a piece of paper by hand is never a good idea if you want to destroy what’s written on it.

There was an American inventor named Abbot Augustus Low who knew better than that.

In 1909, Mr. Low filed a patent application for his invention of a “waste-paper receptacle”– the prototype paper shredder in human history.

Mr. Low’s invention was even granted a U.S. patent (number 929,960) on August 31, 1909, but it was never manufactured.

In 1935, a German toolmaker named Adolf Ehinger invented a device to ensure his anti-Nazi documents were unreadable if seized by the authorities. He was successful and later registered a company, EBA Maschinenfabrik, to manufacture the first cross-cut paper shredders in 1959 (EBA Krug & Priester GmbH & Co. in Balingen, Germany).

Over time, Ehinger’s shredder, initially used by governments and banks only, got popular for personal use and was widely accepted in the business world after World War II.

Standards

There are two standards for paper shredders, namely, DIN 32757 and DIN 66399, DIN being the acronym of the Deutsches Institut für Normung eV or German Institute for Standardization.

Surprised? Don’t be. The Germans are good at making standards — think about the Purity Law they have for making beers.

DIN 32757

DIN 32757 is the European standard for paper shredder security. It’s broken up into six different security levels.

Security Level 1:
(10.5mm Strip Cut)
(11.8mm Strip Cut)
(10.5mm x 40-80mm Cross Cut)


Security Level 2:
(3.9mm Strip Cut)
(5.8mm Strip Cut)
(7.5mm x 40-80mm)


Security Level 3:
(1.9mm Strip Cut)
(3.9mm x 30-50mm Cross Cut)


Security Level 4:
(1.9mm x 15mm Cross Cut)


Security Level 5:
(0.78mm x 11mm Cross Cut)


Security Level 6:
(1mm x 4-5mm)


*Courtesy – https://www.abcoffice.com/office-equipment-news/tag/din-32757/


DIN 66399

DIN66399, introduced by the UN in 2012, overrides the previous DIN32757, reclassifying the old security levels (6 levels) to 7 new security levels ranging from P1 to P7.

The new standard DIN 66399 features 4 shredding patters and 7 levels of security.

  • Strip-cut– Low level of security,– p1, p2
  • Cross-cut– Medium/higher level of security– P3/P4
  • Micro-cut– High level of security-P5/P6

  • Hight-security cut– highest level of security – P7


The 7 defined security levels can be classified into 3 protection classes:

Protection class 1

1, 2 & 3

Protection class 2

3, 4 & 5

Protection class 3

5, 6 & 7


So far, we’ve been calling the device a paper shredder, but strictly speaking, it’s a misnomer as it cuts not only paper.

The DIN 66399 standards also specifies 6 data media categories:

P – Information in original size (e.g. paper, films, printed forms)
F – Information in reduced form (e.g. microfilms, transparencies)
O – Optical data media (e.g. CDs, DVDs, Blu-ray discs)
T – Magnetic data media (e.g. floppy disks, cards with magnetic strips)
H – Hard drives with magnetic data media (e.g. from computers and laptops)
E – Electronic data media (e.g. flash drives, digital camera memory cards,bank cards)


Courtesy – https://www.the-shredder-warehouse.com/security-level


Below I have made a simple chart to compare the two security standards.

Old DIN 32757 Security Level

Shred/particle Size and number

New DIN 66399 Security Level

Stripe/particle size

Number
of strips/particles after shredding (A4 paper)

Uses/examples

Level 1

12 mm strip cut

40 parts /sheet

P 1

Strip size: < 2,000 mm²

Strip width: < 12 mm

17-18

general internal documents; home
use

Level 2

6 mm

100 stripes/sheet

P 2

Strip size: < 800 mm²

Strip width: < 6 mm

35

Normal internal business documents

Level 3

2mm strip cut, 3.9 x 80mm, 3.9 x
40mm, 3.9 x 30mm, 3 x 35mm, 2 x 28mm cross cut

P 3

·  Particle size: < 320
mm²

·  Particle width: < 2 mm

195+

confidential documents; personal
data, etc.

 

 

P 4

·  Particle size: < 160
mm²

·  Particle width: < 6 mm

390+

highly sensitive documents subject
to high protection requirements.

Level 4

2 x 15mm particle

P 5

·  Particle size: < 30 mm²

·  Particle width: < 2 mm

2079+

secret documents; highly
restricted documents

Level 5

0.8 x 12mm cross cut particles

P 6

·  Particle size: < 10 mm²
 

·  Particle width: < 1 mm

6,237+

extremely high demands of
security; military or government

Level 6

0.8 x 4mm cross cut particles

P 7

·  Particle size: < 5 mm²

·  Particle width: < 1 mm

12,474+

strictly
confidential data with the highest security precautions

*Note: A4size = 210mm x 297mm.

8.5″ x 11″=210mm x 279.4mm.
A4 is slightly different from 8.5×11 letter paper (common in North America).


What security level do you need?

If you have seen the Oscar-winning movie “Argo,” you may remember what the Iranians were able to do to the classified documents shredded hurriedly in the American embassy – they hired people to reconstruct the stripes…

Courtesy – http://lewisperdue.com/archives/4052


Stripe cut is not good enough if the information is of high sensitivity.


How sensitive would be classified as “high”?

It depends on you and your internal definitions of sensitivity.

  • level 1 for general data that needs to be made illegible
  • level 2 for internal data that needs to be made illegible
  • level 3 for confidential data
  • level 4 for highly confidential data
  • level 5 for secret data
  • level 6 for highly secret data
  • level 7 for top secret data

Generally, protection class 2 (P3, P4, P5) would be sufficient for most normal business documents, although P3 still produces fine stripes instead of cross-cut particles.

If your company would like to set a high standard to play safe, I recommend P4 or P5.

P4

 


p5


P1-3 are stripe cuts, easy to be reconstructed, if the perpetrator is serious.

In a nutshell, no set rule tells you which level of security you need to adopt for your shredders.
A reasonable starting point would be doing a thorough SVA (security vulnerability assessment) at your facility.

Two gold rules for your decision based on the risks:

1. Do not overreact

2. Do not underestimate



Reference:

https://www.compareshredders.co.uk/articles-and-news/new-din-66399-shredder-security-levels

https://www.the-shredder-warehouse.com/security-level

https://www.shreddingmachines.co.uk/din32757-1.asp

https://www.abcoffice.com/office-equipment-news/tag/din-32757/

https://shredderauthority.com/pages/paper-shredder-shred-sizes-images-and-security-levels-din-66399

http://lewisperdue.com/archives/4052

发表评论

电子邮件地址不会被公开。 必填项已用*标注