Purpose
The NAID AAA Certification Program is a voluntary program for NAID member companies providing information destruction services. Through the program, NAID members will be audited for mobile and/or plant-based operations in paper or printed media, micromedia, computer hard drive destruction, and/or computer hard drive sanitization. Under this program, the certification application and associated fees cover only individual locations. If a NAID member operates in multiple locations, each location must pass the audit to be certified. NAID members who receive certification must specify the location certified in company literature when referencing the NAID certification program.
How it works
NAID is the standards setting body for the information destruction industry. NAID AAA Certification verifies the qualifications of certified information destruction providers through a comprehensive scheduled and unannounced audit program. This rigorous process supports the needs of organizations around the world by helping them meet numerous laws and regulations requiring protection of confidential customer information:
- FACTA Final Disposal Rule requires the destruction of all consumer information before it is discarded. Covered entities must monitor compliance of any organization contracted to destroy consumer records.
- The FACTA Red Flags Rule requires audits of data-related vendors with access to personal information of customers.
- Under HIPAA, covered entities may be subject to civil penalties for misconduct of its business associates that lead to a security breach. Working with a NAID certified vendor reduces the risk.
- Business associates of covered entities must comply with technical, administrative and physical safeguard requirements under the HIPAA Security Rule. For more information on HIPAA, see "Common misconceptions about HIPAA and data destruction."
- The media destruction specifications of PCI compliance require the following, all of which NAID certification requires and verifies:
- 9.10.1.a: Verify that hard copy materials are crosscut shredded, incinerated or pulped such that there is reasonable assurance the hard copy materials cannot be reconstructed.
- 9.10.1.b: Examine storage containers used for information to be destroyed to verify the containers are secured. For example, verify that a to-be-shred container has a lock preventing access to its contents.
- 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion or otherwise physically destroying the media (e.g., degaussing).
- NAID’s certification program was developed by information security professionals and recognized by thousands of private and governmental organizations around the world.
All regional, third party NAID auditors have earned the Certified Protection Professional accreditation from ASIS International and are extensively trained on all certification audit procedures and requirements.
- NAID certification auditors verify that protocols are in place to ensure the security of confidential material throughout all stages of the destruction process such as handling, transporting, storing materials prior to destruction, and destroying and disposing of materials responsibly. This also includes any transfer of custody scenarios.
- An extensive, three-level background screening process verifies that no individual with a known history of related crimes will be handling confidential material.
- A regimented, comprehensive unannounced audit program means that certified companies operate knowing they may receive an unannounced audit on any day, at anytime, providing a powerful motivator for ongoing compliance.
- The Certification Review Board tracks reports of non-compliance and takes immediate remedial action to bring certified companies back into compliance. Repeat or serious infractions will result in fines and may result in removal of certification.