Secure output allows us to send information to a variety of formats. I think we'll talk about printing, we'll talk about secure output. If we want to print securely, yeah, we can print to a common printer that's out in the public areas somewhere, but people may come along and pick that data up and may see it. Maybe we don't want that. So maybe we have a secure printer. One that's in a room that only certain people can get into with some sort of card access control mechanism. That would be more secure, and maybe when we send it to that printer, once the data is printed, the memory buffer of the printer is white, so nobody can call that data back. And it's not stored on a hard drive or in a multifunction device, for instance. Or maybe we're storing it but we're encrypting it. So that way, it can only be decrypted by somebody who has the appropriate encryption key. These are mechanisms that could be used for secure output. We may stand or store that data to a secure storage facility somewhere, maybe a device that self encrypts or whatever that may be. So lots of ways to achieve secure output, but we do need to think about that and we do need to understand that it's, again, an area of focus for us. If we're not focused on it, we may not realize that all the data we send to a multifunction printing device, a network-capable print device, today, is going to be stored on a hard drive. If we are not safeguarding that hard drive and encrypting that storage, somebody could come along later, download the contents of the hard drive, and get the encrypted secure document that we sent because it's stored in unencrypted format. And that's something we would need to consider and be concerned with. When we think about data retention and disposal, we have to think about the fact that when we keep data, we tend to keep it for a period of time. Here in the United States, there tends to be data retention rules for businesses that are publicly traded under Sarbanes-Oxley requirements and our reporting requirements to the IRS, to the federal government, for tax purposes. You typically have to keep records for seven years. In many government entities, there are retention record policies for anywhere from maybe seven to 15 years depending on the kind of data. There may be retention policies in the private sector for a variety of things. There's different reasons why we keep stuff around. Whatever those retention policies are, you're going to have to document those, specify what they are, implement systems that will monitor and manage those, very important, and we need to make sure we have what's known as a retention schedule. The retention schedule allows us to effectively count down the clock. Okay, we're going to keep it for seven years. No problem. Today is January 1 of 2020 and January 1 of 2027. Seven years from now, that data will be effectively pulled out of the system and either moved to a long-term archive storage facility or maybe destroyed. There's different things to do with it at that point depending on what your disposal policy is. But the idea is you're going to manage through that. These policies ought to be documented, written down, implemented into the system. We have to have what are called handling procedures, as we talked about on the screen, to be able to stipulate how the data will be managed over that period of time, where will it be stored, who can access it, under what conditions, how long will it be stored using what format, when we no longer need it because of retention, where will we put it, how will we, at that point, interact with it or dispose of it. These are all things that, as SSEPs, we have to think about and, ultimately, we have to somehow come up with a way to address. So we want to be thinking about data retention and disposal. We may decide to dispose of data using shredders. Shredders take a variety of forms: strip-cut shredders, cross-cut shredders, particle shredders, hammermills, and/or granulators. I guess I'm entitled to one small slip up here and there, right? So strip-cut shredders are going to be shredders that are going to effectively cut the data. Well, again, thinking more often than not about paper, but we could actually put media into these things as well. Depends on how powerful the shredder is. But a strip-cut shredder is going to cut that paper. We probably have seen these at home. They're going to cut the paper into strips. This is where you get those long strips that the 8 by 11 sheet is cut into 25 strips that are going to effectively ribbon out the data. A cross-cut shredder will cut that data, that sheet of paper into, not strips, but actually slice it and dice it, so strips, and then cross-cutting them into little small cubes or specs, if you will. Much harder to put back together. Particle-cut shredders are going to effectively create confetti. They're going to, basically, just destroy that paper and you're going to get out just dust almost depending on the fine granularity of the shredder itself. You could set it to different settings. Hammermills are going to effectively use metal hammers to effectively destroy large data items. Things like hard drives, things like computers themselves, you're going to put them in. It sounds like a car crusher. You run it through the front end of this thing like a woodchipper, and out the back end, comes just discarded and shredded and your destroyed metal. And it's going to mangle everything by beating it up and, really, just tearing it apart. And then granulators are going to just destroy anything you put into them and effectively, literally, turn them to dust, like I said, depending on the fine setting that we will go after. A granulator is going to be a lot more destructive than a particle-cut shredder, let's put it that way, but it's going to, basically, just destroy everything that you put into it. So we have different kinds of shredders that we may use depending on the nature of the destruction mechanism and the disposal policy that we're looking for. So, again, just some ideas about the ways in which we do this. You probably have strip-cut shredders in your offices, I would guess, most likely. You may or may not have these others, right? It just depends on the nature of the disposal systems you're using. A lot of times, if you contract with a third-party company that comes in and does on-site shredding or destruction, there's a lot of companies out there that will do this as a service. They may come out with just the big bends and collect all the paper and cart it off and deal with it at their facility, they may have a mobile solution where they come in with a big truck and they cart it all downstairs and they run it through these shredders. And they'll use, typically, either particle-cut shredders or granulators on the trucks and they'll just destroy all the sensitive and secure information that you provide to them. And they'll give you a receipt to validate that they did that so you can audit it. So these are kind of things that you would often see.
