Are paper documents with sensitive info (HR, finance, customer) physically secured and shredded when no longer needed?

Description

What this control does

Control objective

What auditing this proves

Demonstrate that the organization physically secures paper documents containing sensitive information during their lifecycle and destroys them via shredding or equivalent secure methods when no longer required.

Associated risks

Risks this control addresses

• Unauthorized personnel access sensitive paper documents left unsecured on desks, in unlocked drawers, or in common areas, leading to data exposure or theft
• Intact paper documents containing HR, financial, or customer data are discarded in standard waste bins, enabling dumpster diving or accidental exposure during waste handling
• Documents containing personally identifiable information (PII) or payment card data are retained beyond policy-mandated retention periods, increasing breach surface area and regulatory non-compliance risk
• Third-party cleaning or maintenance staff inadvertently view or remove sensitive documents left in accessible locations outside business hours
• Departing or terminated employees remove or photograph sensitive paper records that were not inventoried or secured, leading to data exfiltration
• Regulatory violations and financial penalties result from failure to protect or properly dispose of regulated data such as medical records, tax information, or customer financial data
• Industrial espionage or competitive intelligence gathering occurs when adversaries retrieve discarded documents containing trade secrets, strategic plans, or pricing information

Testing procedure

How an auditor verifies this control

1. Obtain and review the organization's physical document security and disposal policy, noting requirements for locked storage, access restrictions, clear desk mandates, retention schedules, and approved destruction methods.
2. Request a list of all locations where sensitive paper documents are routinely stored or processed, including HR offices, finance departments, legal, and customer service areas.
3. Conduct physical walkthroughs of a representative sample of offices, cubicles, and common work areas during business hours and, if possible, after hours, observing whether sensitive documents are left unsecured on desks, in unlocked filing cabinets, or in open view.
4. Inspect shredding equipment or secure disposal bins in sampled locations, verifying presence, functionality, and cross-cut (DIN P-4 or higher) capability, or review contracts with certified document destruction vendors including certificates of destruction.
5. Select a sample of at least 10 employees across HR, finance, and customer-facing roles and interview them regarding their awareness of document handling requirements, clear desk practices, and shredding procedures.
6. Review logs or sign-out sheets for locked filing cabinets or secure document storage rooms, confirming that access is restricted to authorized personnel and that keys or access codes are not shared improperly.
7. Examine waste bins and recycling containers in sampled areas for evidence of intact sensitive documents, noting any findings as control deficiencies.
8. Obtain certificates of destruction or disposal logs from the past 12 months from shredding vendors or internal destruction records, cross-referencing entries with document retention schedules to verify timely disposal of expired records.