Purpose

To establish, implement and maintain a procedure for security that controls access to all or parts of the facility in a manner and to a degree appropriate given the type of equipment handled, sensitivity of media containing data and the needs of the customers served.

Responsibility and Authority

The QEH&S Management Representative shall have the responsibility and authority to ensure conformance to the activities described in this procedure.

In the event of a facility concern or breach during or after hours, the Warehouse Manager shall be contacted.

Procedure

1. Site Security Measures

   1. The Data Protection Supervisor is responsible for the overall responsibility of all Data Security and data destruction activities including legal and customer compliance.

   2. All material will be tracked in the electronic inventory system. Material containing or possibly containing data will be documented in accordance with REC Table 2 Data Sanitization Status.

   3. Equipment with data storage capabilities not clearly identified as sanitized are assumed to contain customer data and will be protected to prevent unintended access or theft of data.

   4. All additional locked storage within the building will be physically limited in access to authorized individuals and will be clearly identified with signage warning against unauthorized access.

   5. SkyVine ITAD maintains in writing individual signed acknowledgements for all employees and access employees (7.2.8 Data Protection Acknowledgement) of the responsibility to prevent disclosure of data; and to report any theft of equipment or data, or data breaches; and to disclose any incidents that may change their security authorization.

   6. Personnel will alert the warehouse manager when unknown persons are seen in the warehouse.

   7. All personnel must have completed training and deemed competent and monitored to ensure effectiveness, and maintain signed 7.2.8 Data Protection Acknowledgement before being authorized to handle data or data containing material.

2. Visitors

   1. Will sign-in at arrival

   2. All visitors must be approved by the Warehouse Manager or delegate to enter the warehouse and must be escorted throughout the visit

   3. Must have closed toe shoes and hi-visibility vest to enter the warehouse

   4. Visitors are restricted from handling data containing devices unless approved by Warehouse Manager and Data Protection Representative.

   5. The facility shall maintain in writing individual signed acknowledgements (Data Protection Acknowledgement) of the responsibility to prevent disclosure of data; and to report any theft of equipment or data, or data breaches; and to disclose any incidents that may change their security authorization.

   6. Personnel will alert the warehouse manager or Data Protection Representative when unknown persons are seen in the warehouse.

3. Physical Security

   1. Limited personnel will be provided keys and alarm codes to access the secured facility.

   2. Physical Security will be layered to provide multiple deterrents. i.e., locks, cameras, fencing, and secured areas.

   3. The secured areas are clearly labeled against unauthorized access.

   4. Camera will be in place to record all data sanitization activities, when applicable.

   5. Doors directly entering the warehouse from outside will remain closed and locked at all times when not attended by an employee.

   6. Dock doors will remain closed and locked when not actively being used.

4. Tracking Throughput of Data Devices

   1. All sanitization devices will be labeled upon receipt via material tracking system and labeled per REC table 2.

   2. Inventory Tracking of Data Devices will be tracked throughout the facility (by location) and updated to appropriate REC table 2 status as sanitization occurs.

5. Customer Notifications

   1. When equipment containing data or media is received SkyVine ITAD shall provide the customer:

      1. Receipt of equipment or components containing data (BOL, COD, Inventory Report or other)

      2. The method of data sanitization to be used

      3. Whether data sanitization will be performed internally or by a downstream vendor

      4. Upon changes to any downstream data destruction vendors customers will be notified via electronic correspondence

6. Type of Data Devices Received

   1. SkyVine ITAD will accept the following data containing devices: hard drive containing devices, cell phones, tablets, video tapes, SD/Micro SD cards, and compact discs.

   2. All data devices accepted will be sanitized through approved vendors.

7. Types of Data to be Sanitized

   1. Sensitive data such as private, confidential, or government data are logically or physically sanitized in a manner that complies with R2V3 Appendix B.

   2. User data connections, network services links, and linked cloud services shall also be purged from devices.

   3. Data that is open sourced, operating systems, firmware, or freeware do not require sanitization

8. Legal, Supplier & Other Requirements

   1. SkyVine ITAD’s various suppliers have legal requirements in place regarding management of data. The specific legislation can be found on the Compliance Obligations Summary List. The Data and Facility Procedure is written to comply with all supplier requirements found on the listed regulations.

   2. All employees and contracted employees are required to sign confidentiality agreements prior to handling equipment containing data.

9. Methods of Sanitization

   1. All data is sent to SkyVine ITAD’s Morris, Illinois location for either logical or physical destruction depending on customer requirements, reuse hierarchy, and type of media.

10. Duration for Sanitization/Physical Destruction

    1. All data containing devices will be labeled upon receipt into the facility via material tracking system and labeled according to REC Table 2 classifications.

    2. Data containing material is sent downstream for processing within 180 days of receipt. The warehouse manager is responsible for reviewing inventory records and documenting any out of compliant products and coordinating immediate shipment.

11. Outsourced Data Vendors

    1. Downstream vendors outsourced to perform data destruction will have a signed contract in place and Vendors will be approved via Downstream Recycling Chain Procedure and listed on Approved Vendor List.

    2. Downstream vendors who perform data destruction services are audited periodically and must be found to have records for all data destruction activities, demonstrating the effectiveness of sanitization and verification activities.

    3. Vendors performing data sanitization must have a process in place to monitor workers, visitors, and others.

12. Training and Competency

    1. Prior to commencing work at the operating location, all personnel who handle data, sanitize data and are authorized employees must be trained on this procedure and completed the competency requirement before commencing on activities.

    2. All employees and contract workers will be evaluated to ensure competency of Data Security and Destruction requirements per assigned job functions and level of access.

    3. Employees will be evaluated for job competency only after formal training is completed.

13. Breaches

    1. Management will report through written documentation, following discovery and without unreasonable delay, to the customer any release of, or unauthorized access to the customer’s confidential material that poses a threat to the security or confidentiality of that information. The initial written report should be submitted within 5 days of discovery of breach and shall include the following:

       1. To the extent possible, a description of material that has been breached, a brief description of how the material was breached.

       2. A brief description on the investigation of the breach, to mitigate harm to those affected and corrective actions to protect against further breaches.

14. Penalties for non-compliance

    1. Penalties for non-compliance with this procedure include employee discipline possibly including termination as well as personal liability. Signed acknowledgements are kept on-site for all access employees.

15. Internal Security Audits

    1. Cameras and Facility Walk-Throughs will be monitored as needed to ensure compliance to this procedure.

    2. Monthly inspections of the system will be performed and Monitored via Monthly Facility Inspection Checklist.

    3. Internal Data security audits will be performed at minimum annually by a competent independent auditor to validate the process and effectiveness of security and sanitization requirements.

16. Recordkeeping

    1. All data destruction records are kept for a period of 3 years.

Related and Supporting Documents

6.1.4.2-F Compliance Obligations Summary List

8.1.1.3 Monthly Facility Inspection Checklist

7.2.8 Data Protection Acknowledgement

Document Revision History

Rev. Description of Change Date By

0 New 01-07-22 C.Vo

7.2.9 Data and Facility Procedure Rev.0

This document is uncontrolled when printed