Written by: Flecher Feng, CPP, PSP, CFE
Email: flecherfeng@gmail.com
Where do you usually start in your security audits?
– Perimeter fence?
– Guardhouse?
– IT server room?
– Local ERP (Emergency Response Plan)?
…
There is no wrong answer.
You may follow different patterns or theories, and no security standard says you must start with which item.
I don’t know about you, but I always start my security audit with a tour of the premise, be it an office or production site.
I always check the office printers and look through the paper scattered around or thrown in the trash.
My printer visits have always satisfied me because I have found numerous documents containing information of great value or sensitivity to the companies. Some documents were lying innocently beside the printers, and others were scrambled and discarded in the dust bins as if they were blank.
What information is on those papers?
A lot.
Contact lists, vendor lists, vendor contracts, sales agreement, business memorandum, emails between the sales and customers, lease agreement. You name it.
On one of my printer inspections, I got a piece of paper containing the detailed itinerary of the visiting CEO of the company, as well as his private email address, two cell phone numbers, the name of the hotel he will stay in, venues of dinners, and all the big names he was scheduled to meet…
I wish I were a commercial spy — the espionage job would be so easy.
That’s why I always start my security audit tour with the printers.
What’s missing here is a simple device that only a few companies think necessary –paper shredders.
Have you heard of this theory?
If you want to tear up a piece of paper by hand, no matter how hard you try or how strong you are, no matter how big the paper is, you cannot tear it after eight folds (one tearing after one folding).
Don’t try it now, though. Let’s back up a little.
History
Tearing up a piece of paper by hand is never a good idea if you want to destroy what’s written on it.
There was an American inventor named Abbot Augustus Low who knew better than that.
In 1909, Mr. Low filed a patent application for his invention of a “waste-paper receptacle”– the prototype paper shredder in human history.
Mr. Low’s invention was even granted a U.S. patent (number 929,960) on August 31, 1909, but it was never manufactured.
In 1935, a German toolmaker named Adolf Ehinger invented a device to ensure his anti-Nazi documents were unreadable if seized by the authorities. He was successful and later registered a company, EBA Maschinenfabrik, to manufacture the first cross-cut paper shredders in 1959 (EBA Krug & Priester GmbH & Co. in Balingen, Germany).
Over time, Ehinger’s shredder, initially used by governments and banks only, got popular for personal use and was widely accepted in the business world after World War II.
Standards
There are two standards for paper shredders, namely, DIN 32757 and DIN 66399, DIN being the acronym of the Deutsches Institut für Normung eV or German Institute for Standardization.
Surprised? Don’t be. The Germans are good at making standards — think about the Purity Law they have for making beers.
DIN 32757
DIN 32757 is the European standard for paper shredder security. It’s broken up into six different security levels.
Security Level 1:
(10.5mm Strip Cut)
(11.8mm Strip Cut)
(10.5mm x 40-80mm Cross Cut)
Security Level 2:
(3.9mm Strip Cut)
(5.8mm Strip Cut)
(7.5mm x 40-80mm)
Security Level 3:
(1.9mm Strip Cut)
(3.9mm x 30-50mm Cross Cut)
Security Level 4:
(1.9mm x 15mm Cross Cut)
Security Level 5:
(0.78mm x 11mm Cross Cut)
Security Level 6:
(1mm x 4-5mm)
*Courtesy – https://www.abcoffice.com/office-equipment-news/tag/din-32757/
DIN 66399
DIN66399, introduced by the UN in 2012, overrides the previous DIN32757, reclassifying the old security levels (6 levels) to 7 new security levels ranging from P1 to P7.
The new standard DIN 66399 features 4 shredding patters and 7 levels of security.
- Strip-cut– Low level of security,– p1, p2
- Cross-cut– Medium/higher level of security– P3/P4
- Micro-cut– High level of security-P5/P6
- Hight-security cut– highest level of security – P7
The 7 defined security levels can be classified into 3 protection classes:
|
Protection class 1 |
1, 2 & 3 |
|
Protection class 2 |
3, 4 & 5 |
|
Protection class 3 |
5, 6 & 7 |
So far, we’ve been calling the device a paper shredder, but strictly speaking, it’s a misnomer as it cuts not only paper.
The DIN 66399 standards also specifies 6 data media categories:
P – Information in original size (e.g. paper, films, printed forms)
F – Information in reduced form (e.g. microfilms, transparencies)
O – Optical data media (e.g. CDs, DVDs, Blu-ray discs)
T – Magnetic data media (e.g. floppy disks, cards with magnetic strips)
H – Hard drives with magnetic data media (e.g. from computers and laptops)
E – Electronic data media (e.g. flash drives, digital camera memory cards,bank cards)
Courtesy – https://www.the-shredder-warehouse.com/security-level
Below I have made a simple chart to compare the two security standards.
|
Old DIN 32757 Security Level |
Shred/particle Size and number |
New DIN 66399 Security Level |
Stripe/particle size |
Number |
Uses/examples |
|
Level 1 |
12 mm strip cut 40 parts /sheet |
P 1 |
Strip size: < 2,000 mm² Strip width: < 12 mm |
17-18 |
general internal documents; home |
|
Level 2 |
6 mm 100 stripes/sheet |
P 2 |
Strip size: < 800 mm² Strip width: < 6 mm |
35 |
Normal internal business documents |
|
Level 3 |
2mm strip cut, 3.9 x 80mm, 3.9 x |
P 3 |
· Particle size: < 320 · Particle width: < 2 mm |
195+ |
confidential documents; personal |
|
|
|
P 4 |
· Particle size: < 160 · Particle width: < 6 mm |
390+ |
highly sensitive documents subject |
|
Level 4 |
2 x 15mm particle |
P 5 |
· Particle size: < 30 mm² · Particle width: < 2 mm |
2079+ |
secret documents; highly |
|
Level 5 |
0.8 x 12mm cross cut particles |
P 6 |
· Particle size: < 10 mm² · Particle width: < 1 mm |
6,237+ |
extremely high demands of |
|
Level 6 |
0.8 x 4mm cross cut particles |
P 7 |
· Particle size: < 5 mm² · Particle width: < 1 mm |
12,474+ |
strictly |
*Note: A4size = 210mm x 297mm.
8.5″ x 11″=210mm x 279.4mm.
A4 is slightly different from 8.5×11 letter paper (common in North America).
What security level do you need?
If you have seen the Oscar-winning movie “Argo,” you may remember what the Iranians were able to do to the classified documents shredded hurriedly in the American embassy – they hired people to reconstruct the stripes…
Courtesy – http://lewisperdue.com/archives/4052
Stripe cut is not good enough if the information is of high sensitivity.
How sensitive would be classified as “high”?
It depends on you and your internal definitions of sensitivity.
- level 1 for general data that needs to be made illegible
- level 2 for internal data that needs to be made illegible
- level 3 for confidential data
- level 4 for highly confidential data
- level 5 for secret data
- level 6 for highly secret data
- level 7 for top secret data
Generally, protection class 2 (P3, P4, P5) would be sufficient for most normal business documents, although P3 still produces fine stripes instead of cross-cut particles.
If your company would like to set a high standard to play safe, I recommend P4 or P5.
P4
p5
P1-3 are stripe cuts, easy to be reconstructed, if the perpetrator is serious.
In a nutshell, no set rule tells you which level of security you need to adopt for your shredders.
A reasonable starting point would be doing a thorough SVA (security vulnerability assessment) at your facility.
Two gold rules for your decision based on the risks:
1. Do not overreact
2. Do not underestimate
Reference:
https://www.compareshredders.co.uk/articles-and-news/new-din-66399-shredder-security-levels
https://www.the-shredder-warehouse.com/security-level
https://www.shreddingmachines.co.uk/din32757-1.asp
https://www.abcoffice.com/office-equipment-news/tag/din-32757/
https://shredderauthority.com/pages/paper-shredder-shred-sizes-images-and-security-levels-din-66399
http://lewisperdue.com/archives/4052
