This article will explore the four main areas in which risk is managed.
2. Liability and Indemnification
3. Service Contracts
4. Service Provider Selection
The first two factors will be discussed in Part One, with Service Contracts and Service Provider Selection
treated in Part Two.
Limiting Risks Associated with Employees
An organization’s employees represent two types of risk;
• Intentionally circumventing the destruction process in order to take possession of information or
media prior to destruction
• Compromising security and/or regulatory compliance by accidently acting contrary to policies,
procedures and training (assuming the organization have such measures in place).
And though each requires a different approach to risk minimization, both share the goal of 1) reducing the
likelihood of a data protection breach and 2) reducing the consequences in the event a breach happens.
Information or media could be intentionally diverted from the disposal process by any number of ways,
including simple theft of IT assets for their intrinsic value, to trade PII (on hard copy or electronic form) to
identity thieves for money or drugs, or to obtain competitive information at the behest of a competitor.
A TWO WAY STREET
When it comes to secure
destruction services, risk
management goes in both
(Editor’s note: What follows is an edited version of a more expansive treatment of risk management in the forthcoming
Information Disposition textbook.)
By Bob Johnson
continued on page 6