i-SIGMA (International Secure Information Governance & Management AssociationTM) is a trade association that represents more than 950 service providers from the data destruction & information management industries operating across 5 continents. i-SIGMA is responsible for the NAID AAA Certification program (National Association for Information Destruction). It verifies the services offered by data destruction service providers by conducting surprise and scheduled audits by accredited security professionals. NAID AAA Certified service providers are highly sought-after companies as they follow industry best practices for data destruction and help their customers meet compliance with global data protection laws like PCI-DSS, EU-GDPR, HIPAA, FACTA, etc.
Furthermore, NAID AAA Certification is also a prerequisite for obtaining the electronics recycling and refurbishing industry certification program ‘e-Stewards’. To learn about e-Stewards, you may refer to the article: What is e-Stewards Standard?
How to Become a NAID AAA Certified Company?
To become NAID AAA Certified, service providers must meet the stringent requirements as stated in the i-SIGMA Certification reference manual. Service providers applying for the NAID AAA Certification must also be member of i-SIGMA. The certification manual is an exhaustive document and is referenced for completing the NAID AAA Certification or PRISM Privacy+ Certification® Application.
There are three steps involved in becoming a NAID AAA Certified service provider:
- Comply and meet the specifications as listed in the i-SIGMA Certification Specifications Reference Manual.
- Submit the completed i-SIGMA Certification application.
- Complete the initial scheduled audit successfully by verifying all compliance aspects.
Once the service provider has received the certification, it must successfully complete scheduled and surprise audits and the certification must be renewed annually.
What are the Key Aspects of NAID AAA Certification?
The i-SIGMA reference manual is a comprehensive document spanning seven detailed sections, each outlining the necessary criteria for obtaining NAID AAA Certification. Every requirement within the manual is accompanied by an Audit Methodology section, which defines the specific protocols auditors must follow to verify compliance with the NAID AAA standards.
Section 1: This section outlines the requirements that must be met while hiring individuals who will have access to sensitive data. These broadly include:
- Employee Verification: Verify employee proof of citizenship, criminal record, 7-year employment history, background check, and continuous substance abuse screening.
- Sign a Confidentiality Agreement: The organization applying for NAID AAA Certification must sign a confidentiality agreement with its employees.
- Breach Notification: The applicant organization must have written procedures for informing the Data Controller about the data breach. It further requires organizations to conduct breach notification training for individuals, have an incident response plan in place, and outline the procedures to follow during unannounced audits.
- Other Important Aspects: Many other aspects, like annual training of individuals, identification badges, and policies for handling confidential data and subcontractors, are defined in this section. The section also covers the requirements for vehicle security used for transporting media devices. It further requires the applicant company to designate a Data Protection Officer (DPO) and an i-SIGMA Certification Compliance Officer (ICCO).
Section 2: This section defines the controls that the applicant organizations must implement. These include physical, logical, and administrative controls for preventing unauthorized access to sensitive media. It further requires maintaining a visitor’s log, having a secured area for collecting and processing media, having fire intrusion and detection systems, closed circuit camera systems, maintaining operational security logs, and outlining requirements for media collection-only facilities.
Section 3: It is only applicable for PRISM Privacy+ Certification Operations and not for NAID AAA Certification.
Section 4: This section covers the additional requirements applicable to NAID AAA Certification for media destruction, including physical destruction and overwriting techniques as endorsed by NAID.
- Sub-sections 4.1 to 4.5 cover the physical destruction endorsements for paper/printed media, micro media, hard drive, solid-state drive, and non-paper (Optical/Magnetic Tape).
- Sub-section 4.6 covers the hard drive (HDD) and solid-state drive (SSD) overwriting endorsement that requires the applicant to have a written and verifiable process for overwriting HDDs and SSDs using software like BitRaser. The requirements state that the overwriting process followed by the applicant should mention:
- The process for accepting, identifying, and recording the serial numbers or unique identifiers of devices received.
- The software used for wiping HDD or SSD.
- The software used for verification of the erasure process.
- The quality control methods used to ensure that the sensitive information has been erased.
- Recordkeeping audit trail of the device throughout the erasure process.
- Issuing a Certificate of Destruction with a unique identifier or serial number of the device.
- Documentation to show if any device has failed the overwriting process.
- Sub-section 4.6(qc) covers the quality control requirements for the applicant’s facility-based and on-site overwriting processes.
- Sub-sections 4.7 to 4.12 cover the requirements for degaussing magnetic media, its quality control, the use of a National Security Agency (NSA) approved degausser, the training of technicians performing degaussing, evaluation of media before degaussing is performed, third-party testing to check the efficacy of the degaussing process and the maintenance of degausser.
Section 4 further covers the time frame for data destruction, electronic erasure tracking, and segregation of media post-erasure. It also specifies the requirements for the responsible disposal of destroyed media, recycling permit compliance, endorsement of product destruction, transfer processing facility operations, responsible disposal requirements, and on-premise (mobile) destruction requirements. Subsection 4.24(N) specifies that the applicant must have a general liability coverage of $2,000,000.
Sections 5 and 6 cover the requirements for Australian Protective Security Policy Framework (PSPF) endorsement for paper and printed media and Information and Communication Technologies (ICT) media that has been marked as official and classified.
Section 7: This section is not applicable to NAID AAA Certification. It is applicable for PRISM Privacy+ Certification Operations.
The above sections cover the key aspects of the i-SIGMA certification reference manual for getting NAID AAA Certification. Meeting the above requirements is necessary for data destruction service providers to get the NAID AAA Certification and offer secure data destruction services to their clients.
How BitRaser Helps Meet NAID AAA Electronic Media Overwriting Requirements?
The NAID AAA Certification electronic media overwriting endorsement requires the applicant company to use software for performing data wiping and recording the data destruction process. The company is obligated to have a certificate of destruction that validates that the data has been wiped beyond recovery. BitRaser is a professional software used by ITADs, enterprises, and MSPs globally to wipe data from HDD, SSD, SSHD, SED, etc., leaving no data traces behind. This software helps meet the overwriting requirements (Data Wiping) set by NAID AAA Certification. Moreover, the software generates tamper-proof Certificate of Data Destruction that act as audit trails and help meet Section 4.6 requirements to ensure compliance with global data protection laws like EU-GDPR, PCI-DSS, CCPA, SOX, GLBA, etc.
+1-844-775-0101
