< All Topics

What are the requirements for data security in the R2 Standard?

: What are the data security requirements in the R2 Standard?

A: The R2 Standard places a strong emphasis on data security and requires certified facilities to maintain robust data security practices. Key requirements include:

  1. Developing and maintaining a Data Sanitization Plan and procedures
  2. Implementing appropriate security controls to protect data in the facility’s control
  3. Properly sanitizing or destroying data storage devices in a timely and effective manner
  4. Providing customers with information about the facility’s data security practices and any downstream vendors involved in data sanitization
  5. Conducting regular data security audits to validate the effectiveness of data sanitization processes

Q: What methods can be used for data sanitization under the R2 Standard?

A: The R2 Standard allows for two main methods of data sanitization:

  1. Physical destruction: This involves the physical destruction of data storage devices, such as shredding, crushing, or incinerating the device, in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization or other approved methods.
  2. Logical sanitization (data erasure): This involves using software to overwrite data on the storage device. The R2 Standard requires the use of properly licensed and maintained software, validation of the overwriting process, and maintenance of records of the sanitization process.

In both cases, the R2 Standard requires regular auditing and validation of the data sanitization processes to ensure their effectiveness.