Add to collection(s) Add to saved
  1. No category

5-Downstream Data Destruction Vendor Checklist[1].

Downstream Data Destruction Vendor Checklist
Vendor
Name:
Other
Business
Names:
Address:
This checklist is designed for the evaluation of potential vendors for data destruction under R2:2013
Provision 8. This checklist covers the requirements of outsourcing data destruction. Vendors may
include those contracted for data destruction specifically, where the R2:2013 recycler does not have
the capabilities internally. It also includes vendors who are sent equipment for refurbishment or
recycling which have not been sanitized by the R2:2013 recycler and still contain data that must be
controlled and destroyed.
Document the types of media sent to the downstream vendor for data destruction. Describe the
processing techniques by the downstream vendor for each type of media. Remove or change media
types specific to each downstream vendor.
Media
Processing Technique
Hard Drive
Solid State Drive
Optical disk
Floppy Disk
Data Tape
Video Tap
SD Cards
ROM
1
Revision Date: 2015
© SERI Inc – All Rights Reserved
Downstream Data Destruction Vendor Checklist
Data Destruction Requirements
Prov.
8(a)
8(a)
8(b)
8(c)
8(c)
8(c)
8(d)
8(d)
8(e)
8(e)
8(e)
Requirement
Has the refurbisher incorporated
the applicable requirements of NIST
800-88 or other generally-accepted
standard into its data destruction
procedures?
Are instructions for the identification
of media containing data and
requiring sanitization included in the
refurbishers EHSMS?
[NIST 800-88 Section 4.2]
Does the refurbisher adhere to the
incorporated data destruction
standards for all data bearing
media?
Does the refurbisher document its
data destruction procedures and
include this documentation as part
of its EHSMS?
Do employees involved in data
destruction receive appropriate
training in data destruction
processing?
Do employees involved in data
destruction receive repeat training
in data destruction processing on a
regular basis?
Are employees involved in data
destruction pre-qualified through an
evaluation of competency prior to
processing media for data
destruction?
Are data destruction validation
requirements and processes
documented in the data destruction
procedures as part of the EHSMS?
Are data destruction processes
reviewed and validated by an
independent party on a periodic
basis as defined in the data
destruction procedures?
Are quality controls for data
destruction documented?
Are quality controls for data
destruction effectively implemented
and used?
Are quality controls for data
destruction regularly monitored
internally for effectiveness?
Verification
2
Revision Date: 2015
© SERI Inc – All Rights Reserved
Downstream Data Destruction Vendor Checklist
Prov.
8(f)
8(f)
8(f)
8(f)
8(f)
8(f)
8(g)
8(h)(1)
8(h)(1)
8(h)(2)
8(h)(3)
Requirement
Has the level of sensitivity of data
on media received at the facility
been determined?
Are security controls for media
containing data documented? [
Are documented security controls
for media containing data
implemented?
Are security controls and
procedures maintained and
updated as changes occur in
facility, personnel, or media
sensitivity?
Are implemented security controls
appropriate for the most sensitive
classification of media accepted at
the facility?
Do security controls consider
physical security, monitoring, chainof-custody, and personnel
qualifications?
Are adequate records of data
destruction maintained by the
recycler and each downstream
vendor conducting data
destruction?
If data destruction is handled by a
downstream vendor to the
refurbisher, does the refurbisher
maintain responsibility for data
destruction?
If data destruction is handled by a
downstream vendor, does the
refurbisher ensure appropriate
security, controls, and processing
techniques continue to conform to
Provision 8 through audits or other
similarly effective means?
If data destruction is handled by a
downstream vendor, are media or
devices containing media with data
tracked and secured during
transportation, storage, and
processing?
If data destruction is handled by a
downstream vendor, does each
downstream vendor adhere to the
requirements of Provision 8?
Verification
The above information applies to the minimum requirements of R2:2013 Provision 8 for outsourcing data
destruction. Additional evaluation is recommended. Onsite audits are encouraged.
3
Revision Date: 2015
© SERI Inc – All Rights Reserved
Downstream Data Destruction Vendor Checklist
Year 1
Evaluator:
Attached
Evidence:
Comments:
Status:
☐ Approved
☐ Suspended
Date
Completed:
Year 2
Evaluator:
Attached
Evidence:
Comments:
Status:
☐ Approved
☐ Suspended
Date
Completed:
Year 3
Evaluator:
Attached
Evidence:
Comments:
Status:
☐ Approved
☐ Suspended
Date
Completed:
4
Revision Date: 2015
© SERI Inc – All Rights Reserved
Related documents
disposal by registrants and practitioners
disposal by registrants and practitioners
Northwestern Lehigh SADD Free Electronic Recycling Day
Northwestern Lehigh SADD Free Electronic Recycling Day
Tips for Obtaining Accurate Vendor Quotes
Tips for Obtaining Accurate Vendor Quotes
informed consent
informed consent
March of Innovation
March of Innovation
Application for Destruction of Records
Application for Destruction of Records
Practice Question Analysis
Practice Question Analysis
Document Retention Policy Template
Document Retention Policy Template
Download