Is Your Organization at Risk? What You MUST Know About Data Destruction Under the FBI’s CJIS Policy! Shred Your Drives!

Data Destruction Requirements under the FBI's Criminal Justice Information Services (CJIS) Security Policy

When it comes to handling sensitive information, particularly Criminal Justice Information (CJI), compliance is not just a matter of best practices—it’s a legal and operational necessity. The FBI’s Criminal Justice Information Services (CJIS) Security Policy is a comprehensive set of standards that aims to protect the confidentiality, integrity, and availability of CJI. One of the most crucial aspects of the CJIS Security Policy is data destruction, which ensures that CJI is disposed of securely and in accordance with the law. Let’s explore the key data destruction requirements outlined in the policy.

Understanding the Importance of Data Destruction

In today's digital world, data is continuously being created, stored, and shared across various systems and platforms. As IT hardware ages or is no longer needed, it’s essential to ensure that it doesn’t fall into the wrong hands. Improper data destruction can result in breaches, misuse, and violations of privacy rights, making compliance with CJIS vital for any organization that handles CJI.

The CJIS Security Policy helps mitigate the risk of data exposure by outlining clear and strict guidelines for securely destroying information. This is particularly important given the sensitive nature of the law enforcement data, which could include personal information, criminal history records, and data if compromised, could have severe consequences.

Key Data Destruction Guidelines under CJIS

1. Final Disposition of Media

The CJIS Security Policy mandates that when a device or storage medium is no longer in use, it must be securely destroyed to prevent unauthorized access to any stored CJI. Whether the media is magnetic, optical, or solid-state, the policy requires that all hardware be thoroughly shredded before the equipment is disposed of.

This means organizations must use approved methods to sanitize the storage media. Simply deleting files is not enough. CJIS requires the use of specialized equipment to physically destroy the media to ensure that it cannot be recovered or reconstructed.

2. Approved Methods of Data Destruction

CJIS details what is required in sections 5.8.3 and 5.8.4. These include:

• Overwriting: This process involves writing new data over the old data multiple times to ensure it’s irretrievable. However not all forms of digital media can be overwritten like solid state drives and and other forms of flash media. 

• Degaussing: For magnetic media, degaussing (demagnetizing) can be used to disrupt the magnetic fields on the storage device, effectively erasing the data. But degaussing alone is not effective for other types of digital media such as solid state drives, usb drives, CD/DVDs, and new upcoming HAMR drives. 

• Physical Destruction: In many cases physical destruction the best option. This may involve shredding hard drives, crushing disks, or using industrial equipment to destroy devices beyond recovery. This eliminates the opportunity for human errors and is the quickest option for larger jobs. Hundreds of drives can be shredding in the same amount of time it would take to overwrite a 10TB Hard Disk Drive. It should be noted that CJIs does NOT specify a particle size required.

3. Documentation of Data Destruction

The CJIS Security Policy emphasizes that all data destruction activities must be thoroughly documented. This documentation should include:

• The method used for destruction (e.g., overwriting, degaussing, or physical destruction).

• The date and time of destruction.

• The names of the individuals responsible for carrying out the destruction.

• A unique identifier for the data or device being destroyed.

This documentation serves as an audit trail, which can be invaluable in demonstrating compliance with CJIS requirements during audits or inspections. It also helps organizations ensure they’re not inadvertently leaving gaps in their data destruction processes.

4. Destruction of Backup Media

Organizations are required to apply the same rigorous standards for the destruction of backup media. Backups often contain copies of CJI that may be spread across different systems or devices. The CJIS Security Policy mandates that these backup copies be handled and destroyed with the same care as the original data. The backup media must be physically destroyed to ensure that no data remains retrievable.

5. Third-Party Contractors and Data Destruction

If an organization uses a third-party vendor for data destruction, the CJIS Security Policy requires that a contract or agreement be in place to ensure compliance with the required data destruction standards. Organizations should confirm that their vendors follow proper destruction methods and maintain proper documentation. Furthermore, third-party vendors must agree to maintain the confidentiality of the data they handle. Make sure you IT Asset Disposition partner is providing you detailed Certificates of Destruction which help prove you sanitized your hardware appropriately. 

Why Compliance is Critical

Failing to comply with CJIS's data destruction requirements can result in serious consequences. Not only could organizations face penalties or legal action, but the compromised data could put individuals' privacy and security at risk. For law enforcement agencies and other entities handling sensitive criminal justice data, maintaining a high standard of data protection is essential for preserving trust and safeguarding public safety.

By adhering to CJIS's data destruction policies, organizations can significantly reduce the risk of data breaches and ensure that sensitive criminal justice information is disposed of securely, in line with national standards.

Best Practices for Ensuring Compliance with the CJIS Security Policy.

While the CJIS Security Policy offers clear guidelines for data destruction, successful implementation requires more than shoving computer parts into a shredder. Organizations should also:

1. Develop a Media Sanitization Policy: Create and enforce a clear Media Sanitization policy that outlines the procedures for sanitizing and disposing of data across all departments. This includes the secure storage of old CJIs hardware pending sanitization. Too many law enforcement organization's cyber security teams and leadership are completely disconnected from media sanitization and disposition decisions. Law enforcement agencies typically catagorize themselves as High security in accordance with NIST 800-88's and CJIS' guidelines.

2. Train Employees: Ensure staff members understand the importance of proper data destruction and are trained in the correct procedures for sanitizing data. Ensure they understand the differences between types of media and the different options for media sanitzation. Ensure they understand the types of media in CJIS IT systems and how to ensure all data is destroyed.

3. Use Reputable Vendors: The IT Asset Disposition industry has many different organizations often with different revenue structures. Some are primarily compensated by refurbishing old IT hardware and reselling it online. Others focus on security and offer more technical services. Under the FBI's CJIS Security Policy you cannot resell old IT hardware which held that data. Before you select an outside vendors ask questions. Use this guide and evaluate if their sanitization techniques are appropriate for CJI data.

4. Conduct Regular Audits: Regularly audit data destruction practices to ensure compliance with CJIS Security Policies and verify that no sensitive information is at risk of being compromised. Organizational leadership should periodically audit the existing processes or outside vendors to ensure they are still compliant.

Conclusion

Data destruction is a crucial part of maintaining the security and integrity of criminal justice information. The FBI’s CJIS Security Policy provides clear and comprehensive guidelines to help organizations ensure that sensitive data is securely destroyed once it is no longer needed. By following these standards, organizations demonstrate their commitment to protecting personal and criminal justice data, reducing the risk of data breaches, and ensuring that their operations remain in compliance with federal requirements. Proper data destruction is not just a policy—it’s a key component of responsible data management in the digital age. If you need assistance with destroying your data in accordance with CJIS policies please reach out. We would love for the opportunity to compete for your business. 

Written by Christopher McDevitt with assistance from AI.