Equipment Selection Guide for Paper Shredders

GCPSG-001 (2020)

Prepared by:
Royal Canadian Mounted Police
Lead Security Agency for Physical Security
Departmental Security Branch
NHQ 73 Leikin Drive Ottawa Ontario, K1A 0R2
Publication issued: August 1, 2020

Table of contents

Foreward

The Equipment Selection Guideline for Paper Shredders is an unclassified publication, issued under the authority of the Royal Canadian Mounted Police Lead Security Agency for Physical Security (RCMP LSA).

This is a Government of Canada publication to serve as a guide for the selection of paper shredder equipment for departments, agencies and employees of the Government of Canada.

Suggestions for amendments and other information can be sent to the RCMP Lead Security Agency RCMP.LSA-GRC.POSM@rcmp-grc.gc.ca.

Effective date

The effective date of this publication is June 1, 2020.

Record of amendments

Amendment No. Date Entered by Summary of amendment
n/a n/a n/a n/a

Introduction

The RCMP, as the Lead Security Agency (LSA) for physical security for the Government of Canada (GC) is responsible for providing advice and guidance on all matters relating to physical security. This includes the selection and use of shredders and disintegrators for the secure destruction of information on paper. The RCMP – in coordination with the GC security community – has developed and issued this guide, in coordination with the new shredder particle size standard detailed in Appendix A.

Purpose

The purpose of this manual is to provide GC employees with information on the appropriate selection and procurement of paper based shredding equipment and companies. It also provides some background information on threats, secure destruction requirements and handling of paper based material as well as information on GC shred sizes and international equivalencies.

Applicability

This manual applies to all GC employees who operate, procure, maintain or are responsible for paper based shredding or shredding equipment for their department or agency.

The document is intended to be updated regularly to capture new guidance or update existing information as the program evolves.

Contact information

For more information, please contact:

Royal Canadian Mounted Police
Lead Security Agency for Physical Security
73 Leikin Drive, Mailstop #165
Ottawa, ON
K1A 0R2
Email: RCMP.LSA-GRC.POSM@rcmp-grc.gc.ca

Definitions

Bulk Destruction:
not strictly defined, but should be interpreted as a significant amount of material destroyed in a single session – generally as part of a scheduled collection and destruction program.
Commercial-off-the-shelf (COTS):
equipment that is not specifically manufactured to user specifications.
Chaff:
term for the particles resulting from shredding paper using a shredder or disintegrator.
Dilute:
adding additional non-sensitive material with the same characteristics as that being shredded to increase the volume of chaff making it more difficult to reconstruct.
Deutsches Institut für Normung (DIN):
German test standard organization, governed by the Technical Committee of the European standards organization (CEN) and the international standards organization (ISO). The current DIN standard (2012) for shredders is DIN 66399.
Secure destruction:
for a given security level, the destruction of media (eg: paper) to a size such that the chaff may be considered unclassified waste.
High volume:
a large amount destroyed in a single session, usually by commercial means. A smaller amount of material picked up as part of a collection program is included in this context.
Mobile shredding operations:
destruction completed via destruction equipment in a mobile vehicle, usually at the customer’s site.
Plant-based shredding operations:
destruction by stationary equipment in a secured building.
Ream:
1 ream = 500 sheets of 20 lb bond paper (standard copy paper in Canada).
Throughput rate:
the number of sheets that a machine can efficiently shred when fed at its optimum feed rate usually converted to reams per hour. For comparison purposes: 24 sheets (8.5” x 11.5”) per minute is equal to about 3 reams per hour.
TRA:
Threat and Risk Assessment
Shredding:
is used in this guide to mean the reduction of paper media to particles (chaff) by use of a shredder or disintegrator.

General destruction information overview

Threat to information on paper

Physical security measures deal with the handling and storage of paper based information however the security of destroyed material or material awaiting destruction is often overlooked. Unauthorized access by interception/diversion of material prior to final destruction is the primary threat for material waiting to be shredded. Attacks may or may not directly threaten Integrity or Availability of information but the loss of Confidentiality of the information is directly threatened.

Equipment security levels

Selecting the appropriate destruction equipment and processes make the reconstruction process impracticable (though not impossible). The recommended particles sizes at Appendix A apply to the destruction of information in Canada under normal security conditions and take into account the potential injury to the national or non-national interest, the likely adversary, their capabilities and resources. Destruction of information outside Canada or under heightened threat conditions will require additional measures. A Threat Risk Assessment (TRA) should be performed to determine the risks and recommend additional mitigation measures.

Reduced size text (other than micrographic media)

The recommended particle sizes in Appendix A were determined for documents where the font size is 12 point or larger. If it is necessary to destroy documents printed in smaller font sizes, selecting equipment with a smaller cut size or diluting the chaff by shredding each sheet along with at least 3-5 sheets of similar paper with non-sensitive text in the same font style and size should be considered.

Micrographic media

Office paper shredders are not appropriate for the destruction of micrographic media. Shredders/ disintegrators for micrographic media must be specifically designed to shred that media to a very small particle size. Contact the RCMP LSA for advice on micrographic media destruction.

Graphical information

The particle sizes in Appendix A do not apply to sensitive/classified graphical information (eg: technical drawings). The amount of information on a particle of a given size is dependent on the scale of the printed drawing/diagram and departments must select a suitable particle size as required. If in doubt, use a more secure destruction method and consider additional measures such as dilution or incineration or contact the RCMP LSA for assistance.

Valuable assets

The particle sizes in Appendix A do not apply to valuable (paper-based) assets such as bonds or negotiables. In general, re-assembly of the asset (ie: taping pieces together) is the concern and unauthorized access (by reconstruction of the "information" on such assets) is not a concern. However, departments must determine the appropriate size on a case by case basis based on their specific requirements. The RCMP LSA can assist as required.

IT media

The Communication Security Establishment (CSE) is the Lead Security Agency for determining sanitization methods (such as over-writing) and secure destruction (particle sizes) for IT media. Departments must seek information on particle size, equipment suitability and approvals from CSE. It is outside the scope of this guide to provide guidance for the selection of such equipment. Contact CSE or the RCMP LSA for further guidance.

Other media

Some shredder manufacturers claim their paper shredders can also destroy other media such as magnetic stripe cards, audio cassettes or CDs/DVDs. The RCMP does not recommend using paper shredders for other media as this contaminates the chaff and makes it worthless for recycling. In addition, the particles size requirements for paper and IT media generally differ.

Secure destruction

Secure destruction means shredding of the media (paper) to a size that makes reconstitution of the information by reassembly of the particles impractical. That is, the size and amount of the chaff are such that - given the value of the information to the attacker (asset value - based primarily on confidentiality), the adversary will not have or be willing to expend the resources necessary to reassemble enough fragments to obtain a useable amount of information.

This does not mean that reconstitution is impossible – only impractical. The RCMP has worked with security experts and the security community to determine what particle sizes can be considered secure in normal operations. These particle sizes are presented in Appendix A.

It must be stressed that insufficient quantity of shredded material or insecure practices during the destruction process from the time the decision is made to destroy the information until secure destruction is complete presents a greater risk of compromise than improper shred size. For example, the shred size for office documents is based on the assumption that a shredded sheet is added to – and to some degree mixed with – the chaff from other documents. Care must be taken to ensure that the chaff from one or two sheets is not the only material in an unsecured bin.

Note: that this can be an issue with small volume (personal) shredders where the bin may only hold chaff from a dozen or so documents. For this reason, personal shredders are not recommended.

General principles for handling sensitive waste

Protected or classified information remains classified or protected until securely destroyed and appropriate measures must be taken to ensure the security of the information during collection, storage (including temporary storage), transport or transmittal and handling during destruction.

Protected or classified information should be securely destroyed as close as possible to the point of origin.

Shredded waste handling (chaff)

The by-product of the shredding process is known as chaff. If the process of completing the shredding is adhered to in accordance with this guide, the resulting chaff can be considered unclassified waste. This waste then can be disposed of as recycling or by other waste management means.

It must be stressed that for chaff to be considered unclassified waste, all security measures outlined in this guide should be followed. This includes: the selection of the correct equipment (shred size), and all handling, storage and supervision procedures. Not following the recommendations in this guide may lead to the chaff not being destroyed to a level sufficient to result in unclassified waste and the resulting chaff may require additional security. Departments may have additional security requirements for chaff (even if the recommendations in this guide are followed). This would be detailed in their departmental threat risk assessments.

Supervision

All stages of the destruction process from pick-up to transport to final destruction need to be under the continuous supervision of an appropriately security screened contractor or departmental employee.

The safeguarding of sensitive information is a departmental responsibility and "Certificates of Destruction" from commercial destruction service providers do not replace departmental oversight and assurance that the material was completely – and securely – destroyed. Such certificates are of value from an accounting perspective only.

A Security Requirement Checklist (SRCL) prepared by the client department should accompany every destruction contract requisition and an appendix should address the department's specific requirements for equipment capabilities, the physical facility and the personnel and procedures.

Storage pending destruction

Classified information awaiting destruction should not be temporarily stored with unclassified information.

Sensitive (especially classified) information should never be stored, even temporarily, at commercial destruction facilities. This can be an issue as some companies provide both document storage and secure destruction services – often in the same facility. A Document Safeguarding Capability Certificate (issued by Contract Security Program - CSP) does not necessarily approve the temporary storage of material awaiting destruction as the access and storage procedures – and resultant security concerns - differ. Documents in long-term storage are normally anonymized and stored in locations that have CSP-approved monitoring, access-control and intrusion-detection systems. Documents awaiting immediate destruction are generally in a pile on the floor in a warehouse that may not have adequate monitoring, access-control or intrusion-detection. Verification of the security for documents awaiting destruction remains with the department until the destruction process in complete.

Collection containers (bins)

Commercial collection containers are not very secure and must be located in a place where unauthorized actions would be observed. If these containers are used to collect highly sensitive or classified material (not recommended by the RCMP), they must be secured as per the classification of the most sensitive material being collected at night and during silent hours. It is far more secure to shred the material immediately, then collect the shredded material for further destruction.

Particular cases may justify their use, but the department must make this choice in recognition of the risks, as these boxes present an easy target for the information they hold. Some containers have "fish-resistant" drop slots and are preferable to open-slot collection boxes, but can still be compromised by knowledgeable attackers. In addition, the locks on most commercial collection boxes are generally not very secure. At the very least, consideration should be given to specifying high security cam locks.

Transport security

Vehicles carrying intact documents with highly sensitive information should employ security measures such as serial numbered seals, locks, registries, route logs and drivers who do not have access to the information during transit (refer to the Best Practice Guide: High Security Carrier Service in the Transport and Transmittal section of the SEG).

Labels

Labels should be affixed to destruction equipment to identify the maximum security rating for the equipment. These labels should be ordered from a commercial supplier or re-created locally by departments.

GC and international paper particle size standards

Particle destruction size standards have been established for both office and commercial destruction taking into account: The Security Classification of the material, the adversary's interest, motivation and capabilities, typical volume of material involved and the resultant degree of difficulty for reconstruction.

Application of shred sizes at Appendix A

The GC particle sizes detailed in Appendix A and equipment selection and use recommendations in this guide apply to the secure destruction of textual information within Canada under normal threat conditions where the sensitive information is text and the text font size is 12 point or larger.

Destruction of information outside of Canada or within Canada under heightened threat conditions may require additional measures such as shredding to smaller particle sizes or diluting sensitive with less sensitive shredded material. A TRA should be conducted to determine what additional measures would be appropriate.

International shred standards and sizes

There are destruction standards/specifications issued by agencies of allied countries of interest to Canada. These include: CPNI (UK), DIPCOG (UK), ASIO (Australia), DIN (EU) and NSA (USA). The commercial paper shredding industry has formed an association (NAID) which issues its own standards for member companies to follow. This guide will not go into specific details of CPNI, DIPCOG or ASIO standards as they differ slightly from the GC rating system and the equipment is often not available in Canada.

Deutsches Institut für Normung – (DIN) approved shredders

Many office shredders manufactured in Europe are tested to European (DIN) standards. The DIN marking is evidence that the product was subjected to independent testing and includes ratings for throughput and sheet capacity. These tests are based on slightly lighter-weight paper of a different size than is used in Canada therefore, capacity and throughput levels should not be used to compare against similar equipment manufactured and tested in Canada, the US or Asia.

DIN standards are governed by the Technical Committee of the European standards organization (CEN) and the international standards organization (ISO). The GC does not participate in the development or enforcement of this DIN standard however does permit the selection of shredders based on equivalencies shown in Appendix A. DIN 66399 covers six media categories including paper (indicated by "P") and the security level. (eg. P-3 Paper destruction level 3)

NSA specification 02-01

The NSA requires high security shredders to be NSA-tested. NSA-approved shredders are then listed in an NSA Evaluated Products List (EPL). There is no official correlation between the NSA specification and DIN or GC standards however, CSE endorses the NSA 02-01 specification for the destruction of COMSEC (Top Secret) information.

National Association for Information Destruction (NAID)

This association is international but concentrated in the USA and Canada (NAID Canada). NAID developed its AAA Certification® Program for secure information destruction operations in 2000 which is divided into two separate programs: one that applies to physical destruction operations and another that applies to electronic media overwriting operations. Within each program, there are "endorsements" that further define the specific nature of the certification. These endorsements indicate whether a firm is certified by NAID for on-site (mobile) or off-site (plant-based) services, and the types of media it is certified to destroy (paper, hard drives, micromedia). RCMP LSA endorses the use of NAID-certified companies provided they use equipment that produces the required shred sizes specified in Appendix A.

Procurement and equipment selection

Office shredder procurement

The RCMP LSA no longer tests and approves specific shredding equipment or companies for use in the GC. PSPC is the procurement authority for shredders which is done by means of a Supply Arrangement (SA). The SA is a list of certified shredding equipment by class and sheet capacity/throughput rate. While PSPC does not test shredders as part of the SA, they ensure the certification is provided by the manufacturer prior to the equipment being placed on the SA and provide oversight on manufacturer claims and investigate complaints. Manufacturers who do not honestly state their product specifications may be dropped from the SA. Contact PSPC for more information.

Although the RCMP LSA no longer tests or approves shredders, the SA shredder list includes shredders that had previously been RCMP tested and approved. This equipment will be grandfathered and no certification by the manufacturer is required provided the part number and specifications of the equipment remain unchanged. GC departments and agencies may request that shredding equipment be added to the SA by requesting the manufacturer provide written "certification" that the equipment meets the required standards. Once this written certification is received by PSPC, the SA will be amended.

Disintegrator procurement

It should be noted that the PSPC SA only covers paper shredders. Clients wishing to acquire disintegrators must do so under their own financial delegation (if under $25K) or via PSPC through the competitive process. The process for the selection of disintegrator equipment remains the same as for paper shredders which is detailed throughout this guide. The selection of the appropriate disintegrator equipment should be commensurate with the security level of the material being destroyed and the requirements of the department.

Equipment selection

There are three main factors to consider when selecting a shredder:

In general, only resultant particle size and throughput rates apply to disintegrator selection, though for larger units, sound, reliability and electrical requirements can be significant selection factors.

Service and maintenance

Departments should never buy equipment that is not supported by an authorized Canadian distributor providing complete repair and maintenance services.

Automatic oilers are strongly recommended. A department employee should be assigned to shredder care and maintenance responsibilities which include regular oiling of the cutting heads, especially if automatic oilers are not used.

Other factors

The RCMP endorses the NSA specification for High Security Shredders and Disintegrators for security where a 5mm2 particle size is appropriate (see Appendix A). Caution must be used when selecting from the NSA Approved Equipment as some equipment may not be available in Canada or be supported by manufacturer-approved repair and maintenance services.

When comparing office shredders, sheet capacity is generally the governing factor. A quality shredder with a large sheet capacity (no significant slow-down during the shredding) will normally have a greater throughput than another quality shredder with a smaller sheet capacity. For most users, comparing shredders with similar sheet capacities will be sufficient.

Commercial shredder and disintegrator throughput is usually measured in lb or kg per hour. Capacity is usually a function of the throughput rate and not separately specified.

Note: Some commercial destruction companies charge a flat rate per bin, which is generally more expensive than by weight.

Procurement criteria should include a verification of safety, electrical certification and sound levels. Some of these issues may be addressed by the requirements of the Supply Arrangement. Contact PSPC for guidance. The following recommendations should be considered for all purchases:

High volume shredders and disintegrators

The GC shredder standard at Appendix A permits a larger shred size in consideration of the larger volume of chaff that will be produced during high volume or bulk shredding. The amount that constitutes bulk or high volume is not strictly defined but should be interpreted as a significant amount of material destroyed in a single session – generally as part of a scheduled office or building collection and destruction program.

In general, all requirements for the storage including temporary storage and collection points, transport or transmittal and destruction of information apply equally to commercial destruction services. Each department is responsible for the security and safeguarding of sensitive information. All aspects of destruction service should be monitored and the actual destruction must always be witnessed.

Commercial destruction services

The security requirements pertaining to commercial destruction services apply to more than just the size of the particle; they apply to the entire process. It includes everything from procedures for handling and storing the information to procedures for disposing of the waste, the facility and its personnel. The fact that a service provider uses a particular piece of equipment does not mean the practices of the company are secure. Departments must ensure due diligence is exercised to ensure the equipment is appropriate, operating correctly and security procedures are followed.

It can be difficult to obtain the required particle sizes specified in Appendix A for commercial destruction and where available, costs will usually increase significantly as the smaller size will reduce the throughput rate and reduce the resale value of the chaff. The cut sizes in Appendix A are the RCMP recommended minimum sizes.

A relatively small amount of material (e.g. a single collection bin) may be destroyed by a commercial destruction service provider as long as the department is satisfied with the security and risk-management practices of the service provider, and that intermixing of that material with large volumes of similar material is assured.

Top Secret and Protected C documents should not be destroyed by commercial destruction service providers. All routine destruction of material at these classification levels should be in-house by appropriately cleared personnel. Where there is a need to destroy significant amounts of highly classified material and in-house shredding is impractical, commercial destruction may be the only option. In such cases, monitoring of the entire process will be critical. It may also be advisable to add unclassified material (same paper, font, color, etc) to further dilute the resultant chaff. It is highly recommended that should commercial destruction of highly classified material be required, the RCMP LSA should be contacted for advice and guidance.

Mobile shredding

Departments should specify particle size requirements and a detailed verification procedure should be part of the contract compliance criteria. It is almost impossible to verify the resultant chaff that goes into the storage compartments of mobile shred trucks until they return to the depot to unload.

Some mobile shred companies utilize several types of shredders/ disintegrators and may inadvertently dispatch a truck with equipment that does not meet the department's security specifications. Therefore, it is important to verify that the model (and security screen where possible) of the destruction equipment on the truck matches the model/ screen that was selected/ specified in the procurement agreement.

The following issues are especially relevant to mobile shredder services:

Location of the Vehicle: Information should be destroyed as close to the origin as possible and preferably, within a controlled and isolated area. Public streets and lanes should not be used for classified and highly sensitive information destruction.

Security clearances are rarely given to employees of mobile shredding companies due to the instability of this workforce and the difficulties in keeping the clearances current. Commercial shredder company employees should be considered "operators" and should only handle bulk bins and totes, not permitted to handle individual documents.

In the case of off-site destruction (i.e. the service provider collects and transports the material to another location to be destroyed) the client department should conduct a preliminary on-site/ facility inspection and verify that the service provider has applicable facility and personnel clearances.

Commercial destruction facilities should never be asked to sort or handle individual documents. Documents should either be sorted by appropriately cleared departmental personnel before entering the destruction process, or simply destroyed together by a destruction process applicable to the information having the highest sensitivity.

Ensure all bins are inspected at the end of the session to remove any paper (especially entire documents) that may be stuck to the inside of the bin due to electrostatic attraction.

Shredder equipment safety and maintenance

Operating parameters

Destruction equipment should only be used to destroy the medium for which it is designed. Equipment should be operated as per manufacturers specification.

Electrical safety

Only shredders and disintegrators that meet Canadian electrical standards should be selected and used.

Office shredders can be either 110-120V or 220-240V, but high capacity shredders should be 220-240V.

Other safety issues

Anti-Jam technology - Office shredders should be equipped with auto start and auto stop, it should also stop when the bin door is opened.

Sound - Shredders or disintegrators located near workspaces should meet applicable Canadian Occupational Health and Safety standards for exposure to noise. Noise generated by office shredders can be irritating to office workers and should be minimized as much as possible. Consider ear protection from noise and provide sound protection to operators where appropriate.

Staples/Paperclips - Unremoved staples and paperclips can be a maintenance and warranty issue for shredders. The ability to handle staples should generally be a selection factor for procurement.

Dust and Dirt - Note that dust generation is a serious occupational and safety issue for large volume shredders and disintegrators. Verify local requirements for dust suppression.

Environmental issues

Paper waste (chaff) should not be mixed with other media as it reduces the recycle value of the paper.

Equipment maintenance and inspections

Shredders should regularly be checked for oversize, uneven or chained (not fully separated) particles. Disintegrators should be inspected regularly to ensure the screen is intact. Before maintenance or repair work is carried out, ensure no un-shredded or partially shredded material has been left inside the machine. Equipment that does not perform correctly after servicing should be replaced.

Shredding machine lubrication

Auto-oiling machines are recommended however all shredders should be regularly lubricated with light machine oil to remove fine paper particles which reduce the cutting efficacy. Manufacturer recommended oil should be used however, any SAE 20W-20 lightweight engine oil is a suitable economic substitute for proprietary oils when warranties have expired. Someone should be assigned to shredder care and maintenance responsibilities which include regular oiling of the cutting heads.

Appendix A – Government of Canada paper shredding standard

Classification / Designation Shred Method New Standard DIN 66399 Equivalent Footnote 1 Remarks

Protected A and B,

Confidential (Class 1)

Office

Particle – 30mm2

P-5 – P-6

Smaller shred sizes may be required depending on specific TRA and other requirements of the Dept.

Shred –2mm x 15mm
Bulk In-house Particle – 320mm2 P-3
Screen – 13mm
Shred – 6mm x 50mm
HVCDFootnote 4 Screen – 13mm P-3
Particle – 19mm x 25mm

Protected C, Secret and Top Secret (Class 2)

(COMSEC / SIGINT)Footnote 5

Office

Particle – 5mm2

P-7 – P-8

Smaller shred sizes may be required depending on specific TRA and other requirements of the Dept.

Ranges may be selected based on classification and/or TRA with the standard shred size considered the maximum allowable.

There were no previous standards for bulk and HVCDFootnote 4.

HVCDFootnote 4 Not recommended for TS.

Shred – 0.8mm x 12mm
Bulk In-house Particle – 30mm2 to 160mm2 P-5 – P-6
Screen – 6mm to 10mm
Shred – 1mm x 20mm or 2mm x 50mm
HVCD (Secret)Footnote 4 Screen – 6mm to 9.5mm N/A
Particle – Not Recommended Footnote 2
HVCDFootnote 4 (prot C and Top Secret) Not Recommended Footnote 3 N/A

Promulgation

Reviewed and recommended for approval

I have reviewed and hereby recommend GCPSG-001 (2020) – Equipment Selection Guide for Paper Shredders for approval.

Shawn Nattress
Manager
RCMP Lead Security Agency
Date: August 1, 2020

Approved

I hereby approve GCPSG-001 (2020) – Equipment Selection Guide for Paper Shredders.

André St-Pierre
Director, Physical Security
RCMP
Date: August 1, 2020

Date modified: