[Note: “Text in italics and quotes” below are quoted directly from the R2v3 second draft standard. If it is in “quotes, italics, and underlined”, it is from the R2 Technical Advisory Committee]
In Part 1 of this series, we discussed the second draft of the R2v3 standard – specifically, the introduction. This covered applicability and scope as well as Sanctioned Interpretations and highlighted some areas we want to pay attention to. Part 2 reviewed the Definitions section – some changes, additions, deletions, and the Focus Materials Table.
In Part 3, we started digging into the standard’s Core Requirements (CRs) – the auditable portion of the R2v3 standard. Specifically, the Scope and Hierarchy of Responsible Management Strategies.
In Part 4 of the series, we covered two short, but very important, Core Requirements – CR 3, EH&S Management System, and CR 4, Legal and Other Requirements.
In Part 5 which addressed Throughput Tracking, we discussed what inbound and out outbound summary reports should include, and how to address negative value.
In Part 6 we discussed sorting, categorization, and processing, including a helpful flowchart on how to process, including references to applicable Appendices.
In Part 7, we covered Data Security. Data Security ensures that the electronics we are handling are protected from data breaches, through the use of secured areas, data sanitization, and compliance with legal and regulatory requirements for this Core Requirement.
In Part 8, we reviewed Focus Materials (FMs), and the changed requirements from the R2:2013 standard (as well as some concerns we still have with it).
In Part 9, we reviewed Core Requirement 9 – Facility Requirements, which now encompasses Storage, Facility Security, Insurance, Closure Plan, and Financial Responsibility.
In Part 10, we discussed Core Requirement – 10 – Transport (R2:2013 Provision 12) which only had minimal updates.
In Part 11 cover Appendix A – Downstream Recycling Chain. The R2:2013 standard had due diligence requirements covered in a variety of locations – Provisions 3, 5,6, 8, & 11 – while the new version consolidates all of these requirements into one Appendix.
Now in Part 12, Appendix B, or App B as we’ll call it, we’ll cover the requirements to provide physical or logical data sanitization. Logical data sanitization is typically data wiping; while physical data sanitization is physical destruction.
Let’s review App B in detail. App B replaces R2:2013 Provision 8 and now links back to Core Requirement 7 (Data Security) as it applies to all R2 certified facilities.
App B.1 expands the Data Sanitization Plan in CR 7 to include the following:
“(a) Methods to distinguish sanitized devices from devices containing data, and
(b) Documented quality controls to assess and verify the effectiveness of the data sanitization processes on an ongoing basis, and confirm that:
(1) All devices have been properly processed, where the output is consistent with the planned sanitization method and data has been successfully sanitized from the data storage device, or
(2) Corrective actions are taken to manage any processed devices where sanitization cannot be confirmed and address any other issues in the sanitization process, and
(c) Monitoring activities to ensure continued effectiveness of the execution of this plan, and
(d) Competency requirements to perform sanitization and verification.”
So, our Data Sanitization Plan now has to address our methods, our QC, monitoring, and employee competence (B.3) to perform sanitization and verification.
B.2 requires records to be maintained with the unique identifier of each data storage device or “tracking through other means” from point of control through the sanitization. The R2 Technical Advisory Committee does allow that “Under Appendix B (2), tracking of data devices and records of sanitization are required to demonstrate successful sanitization, however, unique device identifiers need not be used if other means of tracking is used, from the point of control by the R2 Facility throughout the entire sanitization process.” This allows tracking by lots for bulk materials (SIM cards, SD cards, thumb drives) that may be received sorted, I believe… which would be a huge help!
B.3 requires workers to be “trained and evaluated, including any necessary updates as processes, data storage devices, and sanitization methods change, to be competent to perform the specific methods for data sanitization and processes to which they have been authorized.”
B.4 addresses the removal or destruction of markings associating that device with a previous owner. I’ve seen cell phones come in with the old owner’s name etched in the case, for example – the case has to be removed or the markings made unreadable.
B.5 requires effective security controls and includes:
“(a) Physical Security controls including locked and alarmed access points during both working and after hours, and
(b) Enclosed work and storage spaces that are secured, and
(c) Closed circuit camera systems with at least 60 days of recordings covering all areas of the facility where equipment or components containing data are received, stored, or passed through, and
(d) Active monitoring of security cameras, access points, and other security controls for secured areas, and
(e) Regular tests of the effectiveness of these security controls, and
(f) Inventory tracking to identify the physical location of any recorded data storage device at any time while in the R2 Facility’s control.”
This really steps up the security requirements for a facility – and the costs associated with meeting this requirement. Not only are you investing in your employees through training as required in B.3, you are investing in infrastructure in B.5 including cameras with 60 days storage capability, secured areas, alarmed access points, and active monitoring of cameras, access points, etc. as well as regular testing of these controls. And let’s not forget to define ‘active monitoring’ – is that a spot check? Is that someone watching the cameras full time? While it is left intentionally broad in order to provide flexibility, real-time monitoring, and analysis IS required.
B.6 says that if you choose to outsource this work, CR 7 and App B still apply. No way to get out of this requirement by foisting it off on someone else…
B.7 defines Physical Sanitization (Destruction) and provides a table for Physical Destruction Methods. A facility can also follow the National Security Agency Storage Device Sanitization Manual or any other physical destruction method that has been verified by a competent expert as effective. NIST Guidelines (800-88 Rev.1) for destruction of Data Storage media is called out in CR 7, so is not duplicated here (but still is applicable).
The R2 Technical Advisory Committee provided the following commentary on ‘independent auditor’:
“A competent auditor is considered to be an individual with sound knowledge of the subject matter being audited, and the training, skills, and experience necessary to conduct an effective audit. The individual may or may not be an internal worker, but must be independent of the process or activities being audited.”
Please refer to Table 1 in the R2v3 standard (Physical Destruction Methods) for all of the approved methods and criteria for various media devices. The table covers Magnetic Tape, Magnetic Hard Disk Drive, Diskettes, Optical Disks, Solid State Storage, Hard Copy Storage, and Other. While criteria are supplied, the verification criteria (100% verification of records, etc.) has been removed from the second draft in order to allow for greater flexibility and applicability of each process.
B.8 requires that if more stringent destruction methods are called out by customer, legal, or sensitivity of information requirements, that these be followed.
B.9 states that video recordings of physical destruction of all media be maintained for at least 60 days.
B.10 through B.14 covers Logical Sanitization (Erasure). It’s pretty straightforward – B.10 requires records of Data Sanitization be kept for each unique identifier; B.11 discusses requirements for Data Sanitization software; B.12 requires removal of all logins, passwords, locks or other connections; B.13 calls out the requirement for a minimum of 5% sample to be tested by an independent party to demonstrate non-recoverability (reducing to 1% if no issues found); and B.14 says that if logical sanitization does not work, then physical sanitization (destruction) must be done. This is a change from the first draft, which did not provide a method to reduce to 1%, and would have made this cost-prohibitive for some organizations.
B.15 through B.17 covers Quality Control. It requires that controls show that the plan was followed; that the process quantities match the received quantities; and that suppliers are notified of discrepancies. Records of release must be retained, and if QC issues are detected, corrective actions are implemented. This also links back to CR 7.a.3.B (duties of the Data Protection Representative), which may encompass oversight of these duties.
While this section is fairly straightforward, there are several areas where it could become problematic, depending on how you receive and process materials. Let’s assume that you are doing a good thing for the community – you decide to have an electronics recycling day, where the community at large can bring in electronics to be safely processed. Folks drive up to your loading dock or parking lot and give you boxes that have everything from wires and cables to old laptops and handsets. Some home-based businesses are bringing you fax machines, printers, and old-style cell phones and Blackberrys. What does B.5 tell us? That all of this material has to be locked, alarmed, etc. and processed by competent personnel. Do we sort the materials in our parking lot to do that? Do we put everything under lock and key until we can do the sort? The standard is open to interpretation, so your registrar may have a different opinion than you do of what this ‘control’ should look like…
But wait – we’re not done yet!
Next up: Appendix C – Test and Repair
Can’t wait for the entire series and want to engage with us now? Contact us to start the process!
Interested in getting some assistance on R2 implementation? Check out our other blog posts or contact us to get more info.