Materials referred to in security levels according to the new DIN 66399 Ideal document shredder for your internal data protection and security concept The previous pages mainly dealt with information in the original size (data carrier “paper” etc.). In these modern times of communication, there are however numerous new data carriers, which are also respected in the new DIN 66399. This is a short summary: Here are some examples from our comprehensive range of shredders, comprising more than 50 model versions, starting with the compact machine for desk-side use, and going up to the powerful high volume shredders: Information in miniaturised form, for example microfilms. Security levels F-1 to F-7 Information on optical data carriers, for example CDs/DVDs. Security levels O-1 to O-7 Information on magnetic data carriers, for example ID-cards, diskettes. Security levels T-1 to T-7 Information on hard drives with magnetic data carriers. Security levels H-1 to H-7 Information on electronic data carriers, for example chip cards, memory sticks. Security levels E-1 to E-7 Desk-side shredders Data protection directly at the working place or for small-group offices Model EBA 1324 S EBA 1324 C EBA 1324 C EBA 1324 CC EBA 1324 CCC Cutting width Cutting type 4 mm Straight Cut 4 x 40 mm Cross Cut 2 x 15 mm Cross Cut 0.8 x 12 mm Micro Cut 0.8 x 5 mm Super Micro Cut Information about the new DIN 66399 for destruction of data carriers Security level P-2 -T-3* P-4 -T-4* P-5 -T-5* P-6- P-7- - Office shredders Central data protection in the office, for example next to the copying machine Model EBA 2326 S EBA 2326 C EBA 2326 C EBA 2326 CC EBA 2326 CCC Cutting width Cutting type 4 mm Straight Cut 4 x 40 mm Cross Cut 2 x 15 mm Cross Cut 0.8 x 12 mm Micro Cut 0.8 x 5 mm Super Micro Cut Security level P-2 O-2T-3* P-4 O-3T-4* P-5 O-4T-5* P-6- P-7- - All details and technical specifications are approximate. Subject to change. 06/2013 Information in original size, for example paper, films, printing plates. Security levels P-1 to P-7 What you should know! Departmental shredders Powerful, central office shredder with high shred volume Model EBA 5141 S EBA 5141 C EBA 5141 C EBA 5141 CC EBA 5141 CCC Cutting width Cutting type 6 mm Straight Cut 4 x 40 mm Cross Cut 2 x 15 mm Cross Cut 0.8 x 12 mm Micro Cut 0.8 x 5 mm Super Micro Cut Security level P-2 O-2T-2* P-4 O-3T-4* P-5 O-4T-5* P-6- P-7- - * only valid for plastic cards with magnetic strip www.eba.de First Class Security What is new about DIN 66399? Identifying the sensitivity of data and assigning the classification level The new DIN 66399 replaces the hitherto DIN 32757. The most significant changes are: In order for the destruction of data carriers to comply with the principles of economy and proportionality, the data contained on them shall be assigned a classification level. The security level which is chosen for the destruction of the data carriers is determined by the sensitivity of the data. Three classification levels A risk analysis shall be carried out for the data carriers and the data contained assigned to one of the three classification levels. The classification level determines the security level which is chosen for the destruction of the data carriers. Six material categories For the first time the norm defines different material classifications, also reflecting the size of the information presented on the data carrier (paper documents, optical, magnetic or electronic data carriers and hard drives). Seven security levels Instead of the previous five security levels, the new DIN 66399 now defines seven security levels. One major difference is the new security level P-4 with a material particle surface of maximum 160 mm², the previous level 4 becomes level P-5 and the previous level 5 becomes P-6. “Level 6”, which was not previously reflected in the DIN norm, will become level P-7. Security levels according to DIN 66399 for information presentation in original size, for example paper documents Classification level 1: Normal sensitivity for internal data: the most common classification of information, intended for large groups of people. Unauthorised disclosure or transfer would have limited negative effects on the company. Protection of personal data shall be guaranteed. Otherwise there is a risk that persons affected may suffer damage to their reputation and economic circumstances. Classification level 2: Higher sensitivity for confidential data: the information is restricted to a small group of people. Unauthorised disclosure would have serious effects on the company and may lead to violation of laws or contractual obligations. The protection of personal data shall meet stringent requirements. Otherwise there is a risk that persons affected may suffer serious damage to their social standing or economic circumstances. Classification level 3: Very high sensitivity for confidential and secret data: the information is restricted to a very small group of persons, known by name, who are authorised to access it. Unauthorised disclosure would have serious, existence-threatening effects on the company and/or would lead to violation of trade secrets, contracts and laws. The protection of personal data shall be absolutely guaranteed. Otherwise, the life and safety of persons affected may be at risk, or their personal freedom may be jeopardised. Assignment of classification levels and security levels see table below: Important details related to the new DIN 66399: SecuritySecuritySecuritySecurity SecuritySecuritySecurity level 1level 2level 3level 4level 5level 6 level 7 • If it is possible for data controllers to destroy data carriers directly on site at any time, this increases security and is preferable to other methods, provided the selected security level is used. Classification level 1 • If there are data carriers with different security levels at the collection point, they should be sorted there by security level for economical and environmental reasons. If this is not possible, all the data carriers shall always be destroyed according to the higher security level. This is to minimize the risk of incorrect assignment leading to inadequate destruction of data carriers containing sensitive data. 1 1 Classification level 2 Classification level 3 1 2 This combination can not be used for personal data. A higher security level covers the protection class in a better way. 2 2 2 2 2 2 P-1 P-2 P-3 P-4 P-5 P-6 P-7 Recommended for instance for data carriers with general data, which have to be made illegible. Recommended, for example, for data carriers with internal data, which have to be made illegible. Particle size ≤ 2000 mm2 or strip width ≤ 12 mm. Unlimited strip length. Particle size ≤ 800 mm2 or strip width ≤ 6 mm Unlimited strip length. Recommended, for example, for data carriers with sensitive and confidential data. Particle size ≤ 320 mm2 (for example particles 6 x 50 mm) or strip width ≤ 2 mm Unlimited strip length. Recommended, for example, for data carriers with particularly sensitive and confidential data. Particle size ≤ 160 mm2 and for regular particles: strip width ≤ 6 mm (for example particles 4 x 40 mm). Recommended, for example, for data carriers with secret data. Particle size ≤ 30 mm2 and for regular particles: strip width ≤ 2 mm (for example particles 2 x 15 mm). Recommended, for example, for data carriers with secret data where unusually high security standards shall be maintained. Particle size ≤ 10 mm2 and for regular particles: strip width ≤ 1 mm (for example particles 0.8 x 12 mm). Recommended, for example, for data carriers with top secret data where the strictest security standards shall be maintained. Particle size ≤ 5 mm2 and for regular particles: strip width ≤ 1 mm (for example particles 0.8 x 5 mm).