The Problem – Paper Drill Audits
There are large cybersecurity auditing firms that perform cybersecurity paperwork reviews of companies who have access control of their client’s data. They are following a formula like SOC-2, PCI or HIPAA that was developed for a specific industry. The auditors do an excellent job within their framework to check that the subcontractors say ‘yes’ to all questions, so they are convinced that the vendor has data security in their process. However, when other auditors do onsite inspections of these same subcontractors, another story is revealed. Here’s Why Regulatory Compliance is Important
In a SOC-2, PCI or HIPAA audit, a non-certified, non-compliant, untrained, third-party vendor can be approved. In these cyber surveys, they ask the same questions year after year, so the weak vendor can maintain their old and outdated policies and processes.
It is amazing how government offices and agencies as well as OEMs have allowed vendors to enter their data security perimeter when they communicate to their citizens and customers that our PII, PHI, PFI and more is safe.
The Solution – More Onsite Verification
When an ISO 27001 auditor conducts a two-to-four-day cybersecurity audit, that action is a real differentiator between the onsite inspection and a paper drill. When a cybersecurity auditor is onsite, they can look at 36 months of data as well as conduct a deep dive into any of the 100+ data security controls. All About ISO 27001 Global Standard NIST 800-171 audits for DFARS has the same level of scrutiny for those companies meeting that requirement since 2018. What Is the NIST SP 800-171 and Who Needs to Follow It?
The solution for government and private enterprise is to shop for members of the cybersecurity supply chain that understand the requirements to protect data. A company like TechR2.
TechR2 Data Destruction
As the US Government and enterprise move towards the NIST Cybersecurity Framework and the Zero Trust data security model, compliance auditors will be under more pressure to analyze between a vendor like TechR2 that has built data security into their processes and those who are doing the same non-compliant methods for the last 10 years.
Industry Differentiation Chart compares TechR2 NIST Certified Solutions to Others
| NIST / ZTA | Data Security Control | TechR2 | Others |
| NIST AC-3, AU-11, MA-2, MA-3, MA-4, MP-5, MP-6 | Failed data bearing devices are Tracked, Contained, Destroyed and Verified while in the Organization’s control | √ | X |
| NIST AC-6, AU-10, SA-9, SC-2, SR-2, SR-03, SR-5 | NIST 800-171 compliant to the DFARS standard, and ISO 27001 certified for every operation | √ | X |
| NIST AC-2, CM-5 | ISO 9001 TechR2’s Tear-A-Byte Appliance utilizes a reinforced drive containment appliance | √ | X |
| NIST IA-2, IA-4, IA-5, IA-8, PE-2, PL-4, SA-8, SR-4 | ISO 27001 and NIST certified TechR2 has unique Serial Number (PID) Labels Printed On-Demand | √ | X |
| NIST CM-8, PE-3, PM-5 | Inventory Management software and system that maintains a real time inventory of data bearing devices in containment and destroyed | √ | X |
| NIST IA-2, IA-5, IA-8 | Multi-factor access control to drive cabinet with two-stage secure drive entry system | √ | X |
| NIST SC-7, SC-38, SI-04 | Photographic evidence of every drive entered | √ | X |
| NIST SI-6, SI-15, SR-4 | Intelligent data completion and capacity reporting | √ | X |
| NIST 800-88 | Data destruction utilizing a Sanitizer and a Verifier | √ | X |
| NIST 800-88 | Certificate of (Sanitization) Destruction meets the NIST 800-88 requirements | √ | X |
Patented Tear-A-Byte® Method to Track – Contain – Destroy – Verify Loose Media.
Your answer to your cybersecurity control challenge is the ISO, and NIST certified TechR2’s Patented Tear-A-Byte solution. Providing secure onsite EoL Data Destruction as a Service to ITAD Vendors (techr2.com) All TechR2 products and services incorporate Zero Trust Architecture data security techniques. Zero Trust Model – TechR2
Vendor Management
When you ask your obsolete ITAD and Recycler vendor to step up their cybersecurity data controls to meet your current compliance needs, the old ITAD and recycling companies do not even know what to say. TechR2 is the premier data destruction company selected by OEMs such as IBM and Kyndryl to meet the GDPR, NIST, ZTA, CCPA and IRS 1075 requirements that you must meet. TechR2 Data Security Certifications & Standards: ISO 27001, ISO 31000, ISO 14001, and NIST, GDPR, more – TechR2
Contact TechR2
TechR2’s NEW Data Destruction as a Service (DDaaS) is the future model and the archaic ITAD processes are dead. DDaaS Data Destruction as a Service – TechR2
Contact Sepp Rajaie to learn more. Contact our experienced TechR2 staff.
