It used to be an easy choice - simply put your sensitive document through the office shredder and your liability ended there. Or did it? We’ve all heard the countless stories of shred residue being reconstructed with a wealth of information gleaned from strips of spaghetti like particles. The most infamous example of a failing in high security shredder standards may be from 1979 at the American embassy in Tehran. After the Iranian Revolution, the embassy was raided and hundreds of civilians were able to reassemble classified documents after a high security disintegrator (a large knife mill) jammed and a less secure strip cut shredder was engaged. That episode led to the reevaluation of the classified destruction standard and the beginning of a shredding revolution that continues to this day. In trying to determine the best product for your particular agency, there are some basic steps to take that will make the process much easier and provide the best value while assuring the proper safeguarding of your sensitive data in compliance with existing high security shredder standards. Start by identifying the classification of the data you need to destroy. This step will put you in a specific category and narrow the tremendous offering of shredders on the market. Classification terms such as “Privacy Act” (PA) and “Sensitive But Unclassified (SBU) are being replaced by “Personally Identifiable Information (PII) and “Controlled Unclassified Information” (CUI). For the security practitioner these terms are already part of their vocabulary. AS the security requirement increases, so does the ‘alphabet soup’ of acronyms for the various security levels. Classified information destruction must meet the standards of the NSA as it pertains to Communications Secure (COMSEC), Sensitive Compartmented Information (SCI), Special Access Programs (SAP), Top Secret, and Secret, just to name a few. Companies that offer these products can be found on the NSA website (www.nsa.gov) under Information Assurance >> IA Guidance >> Media Destruction Guidance. Though these regulations have been put in place by executive order and are thus the Law, each agency administers these policies differently so inquiries should be made directly with your security programs office first.
High Security Shredder Standards
Within the last several years another classification standard has grown in popularity. The Deutsches Institut fur Normung e.V., a German institute for standardization since 1917, publishes the DIN standard (the Germans created the first shredder in 1935). Better known in the US as DIN Levels, each level represents a particular shred size that relates to the classifications standards mentioned above. For example: Level 6 (the highest) refers to a residue particle no larger than 1mm x 5mm (the NSA requirement for destroying classified documents). Level 5 - 1/32” x 7/16’ was replaced by Level 6 when the Department of Defense changed the regulation in 2002. Level 4 is a particle no larger than 3/32” x ⅝” and level 3 no larger than 3/16” x 3”. Unless you are dealing with classified documents, the majority of Federal shredding falls into the Level 3 category. This level meets all of the requirements for the destruction of Personally Identifiable Information (PII) and Controlled Unclassified Information (CUI). Now that you have identified the proper standard, it’s time to narrow the selection process even further. This step is actually fairly easy. Buy the biggest shredder within budget that meets your budget and fits into the allotted space! Most people will purchase for today’s requirement and not consider possible increases in workload or employees. A small or medium volume shredder can quickly be overworked and require costly repairs or early replacement. An alternative is to de-centralize units throughout the office. Instead of purchasing one large shredder you could procure two mid-volume models for around the same cost. This puts less burden on a single unit and provides easier access for the entire staff. While doing your research on high security shredder standards, make sure to compare similar products. Some key components would be horsepower, shred size, throat opening, dimensions, and weight. If any one of these is way off the mark you are not making a good comparison. For example, a model could be equal in every way to another except that it weighs 50 pounds less - that tells me there is a quality issue. Most quality shredders originate in Germany and advertised sheet capacities are based on the test they perform there using 16 pound paper which is much thinner than the 20 pound bond we use in the States. The number of sheets per feed is especially important when comparing units that must meet classified destruction standards. Because of the strict 1mm x5mm residue (about the size of a half folded staple) these units do not feature high sheet capacities. In this case, NSA has taken the guess work out of the selection process by performing a one hour durability test on each unit.
A consistent number of sheets are fed through the shredder one after the other. If the unit jams, one sheet is removed and the process starts all over again until a specific sheet capacity is fed without fail. The results of these tests are then added to the NSA/CSS 02-01 Evaluated Products List (EPL). This list, along with others for different media applications, can be accessed via the NSA web site mentioned earlier. Comparisons between high security shredders should not be made without consulting this list. It is absolutely the best unbiased source of information for classified destruction units available. As you can see there are many things to consider when evaluating high security shredder standards. When making your selection, be sure to communicate with a firm that specializes in data destruction equipment. Internet companies may be able to sell you a shredder, but that’s about as far as they go. A reputable company will have personnel that are familiar with all aspects of paper and media destruction and knowledge of all applicable standards. These companies will not only make the selection process easier but will also be able to provide delivery, installation and service after the sale. Understanding High Security Standards and Specifications (PDF)