Like giant sequoias that grow from seeds, many big ideas come from small starts. Such is the case for a first-of-its-kind academic textbook the Phoenix-based National Association for Information Destruction (NAID) has been working on that focuses solely on information disposition.
What started as an updating effort for the association’s Certified Secure Destruction Specialist (CSDS) accreditation training manual turned into what is now a 300-plus-page textbook. The first edition is set to make its debut at the NAID Annual Conference and Expo, March 22-24, 2017, in Las Vegas.
NAID CEO Bob Johnson explains it as an evolution of sorts. Johnson, who also is the book’s author, says NAID staff began collecting material related to information disposition for the CSDS training manual. They soon discovered a missing piece in the books that cover the records and information management industry. While plenty of books address information storage and security, Johnson says, few extensively touch on how information should be disposed of properly at the end of its useful life. Topics such as degaussing and data overwriting and options for hiring vendors are not discussed, he points out.
Johnson says these books “don’t talk about policies and procedures; they don’t bring in risk management issues. So, the vacuum there is a great opportunity for us.
He adds, “We already had the textbook on the drawing board and said with more diligence we could elevate it to a university textbook … That evolved into this bona fide textbook as a discipline itself.”
Filling a void
The textbook represents the first academic disciplinary on information disposition, Johnson says. “It’s the first concentrated look at information disposition from all angles,” he says.
It fills a void for students who will someday oversee information security yet lack expertise in information disposition. In discussions with educators, Johnson says NAID realized information disposition in the context of collegiate studies is typically an afterthought. Students are graduating in data security and information management fields without being aware of their options for media destruction, privacy regulations and other related requirements to do the job right.
“The educators are saying it’s irresponsible to be putting people out in the world and they don’t have a clue about information disposition,” Johnson says.
While it is a textbook, it is not strictly for students. It also can be used as a sales tool among secure destruction professionals. With its extensive look at the principles of proper disposition, industry professionals can refer to the book when selling to customers who may not fully understand their responsibilities under the law.
For those operating under a misconception, Johnson says the book can help to set the facts straight. “Whatever misconception the client might have, it will be very useful to have the textbook as the ultimate proof statement: ‘It says right here that’s not a good way to do it,’” Johnson says, adding, “Not in a way that we’re wagging our finger at them, but when they read the paragraph about why that’s not a good idea, they’ll say, ‘Yes, that makes perfect sense.’”
Beyond students and industry professionals, from information and records managers to data security and compliance workers, the textbook also can benefit those individuals seeking to become a CSDS or any organization putting together an IFB (information for bid) for information disposition regarding service provider qualifications.
With more members than ever who are involved in IT (information technology), Johnson says NAID members also can benefit from what the book offers.
“For some readers it will expand their view of what information is leaving their organizations and how to better protect their organizations,” Johnson says.
The textbook includes nine chapters. While entire books that address data protection regulations and risk management are available, each chapter in this textbook covers these topics in-depth separately in relation to information disposition. Chapter One, for example, exclusively outlines data protection regulations. Another chapter explores contracts and indemnification.
One chapter focuses on NAID’s Information Destruction Policy Compliance Toolkit, while another details the records management principles pertaining to information disposal. A chapter on destruction methodology explains industry terms, while another chapter serves as an operational manual for data destruction firms.
Chapters highlight Health Insurance Portability and Accountability Act (HIPAA) standards as they relate to the subject matter.
“Same with risk management related to information disposition,” he continues. “How do you mitigate those risks? What are the elements of a contract? What are the things that the data controllers need to have to protect them, and what should they expect form the service provider?”
Every chapter has been reviewed by a subject matter expert, Johnson says.
The textbook has been thoroughly researched and cited, he says. “We have had from day one an individual contracted with us to make sure wherever our claim is made, if it needs a citation we find it.”
Work in progress
As a giant sequoia would never be found on a beach, topics purposefully are not covered in NAID’s textbook on information disposition. For one, the book does not include material related to records retention requirements. “It’s not about retention; it’s about disposition,” Johnson clarifies.
For anything the textbook lacks, he recognizes that this is just the first edition and a work in progress. Johnson says he welcomes input and constructive criticism with the goal of improving the textbook. For now, he says he’s glad it’s all finally in writing, in a single place.
“It may well be that the most important legacy of this first edition is not necessarily the edition itself but the fact that we finally got the discussion started and got it on paper. Our intention is to start volume two the day volume one is produced. I’m encouraging feedback.”