Everyone has a responsibility to ensure that sensitive information and assets, whatever their form, are appropriately protected from the moment they are created until their verified destruction. Physical security measures form part of a holistic approach to protection that must also include personnel security and, where the assets are IT or held electronically, cyber security.
When considering protective security of sensitive items it is important to remember that this encompasses protection for information during transit and when it is held remotely, as well as when it is in a central facility. There is a close relationship with personnel security here to ensure that processes and procedures are in place, and that people have understood the requirements on them.
Once there is no longer a need for the information or asset it must be destroyed in accordance with requirements related to the sensitivity of the information / asset.
Threats to sensitive items can range from forcible attack to more sophisticated surreptitious methods and can occur at any stage of the information lifecycle. Threats may include:
- Accidental loss
- Emergency abandonment of an individual, vehicle or building
- Espionage, either commercial or state sponsored
- Hijack or vehicle theft either from site or during vehicle transportation
- Inside attack, e.g. disgruntled employees or investigative journalists
- Theft from site, vehicle, storage or destruction facility
When engaging providers of secure transportation and secure destruction services look for those whose processes and operations have been subject to independent review and accreditation. Self-certification or assurance that operations are in line with published standards does not provide an acceptable or verifiable level of assurance.
The National Cyber Security Centre (NCSC) provides guidance on both building security into devices and IT systems as well as a range of guidance relating to overwriting / sanitisation services and tools.