Physical Document and Asset Control

Requirements

1. All sensitive documents — financial statements, identity documents, legal agreements, credentials, and any physical record containing personal, operational, or financial information — must be stored in a locked container when not in active use. A filing cabinet with a working lock is the minimum. A fireproof safe is required for documents that cannot be replaced or whose loss would create significant consequence.
2. Documents must not be left unattended on desks, countertops, or any accessible surface. Active use means the document is in your hands or directly in your line of sight. Everything else is unattended storage — it must be secured accordingly.
3. All documents containing sensitive information must be shredded before disposal. Cross-cut shredding is the minimum standard; micro-cut is required for documents containing financial account details, identification numbers, or anything that could support identity theft or fraud. Recycling bins, waste baskets, and general refuse are not secure disposal.
4. Identity documents — passports, driving licences, national identity cards, and any government-issued identification — must not be routinely carried unless their presentation is a specific, anticipated requirement of the day. When not carried, they must be stored in a locked container. Loss or theft must be reported to the issuing authority within 24 hours.
5. Physical copies of sensitive documents must be made only when there is a specific purpose for the copy. Copies multiply the exposure of the original. Each copy must be tracked, stored to the same standard as the original, and destroyed when no longer required.
6. Printed documents retrieved from a shared or networked printer must be collected immediately upon printing. Sensitive documents must not be left in print queues, on printer trays, or in shared output trays. Where possible, use a printer in a controlled, private space for sensitive materials.
7. Any physical media — USB drives, external hard drives, printed cryptographic keys, handwritten credentials, or backup codes in physical form — must be stored in a locked container, with location noted and access limited to the minimum necessary. Physical media containing sensitive data that is no longer required must be physically destroyed, not merely deleted.

The Lifecycle Problem

Digital information can, in principle, be controlled through access permissions, encryption, and remote deletion. A physical document has none of these controls once it leaves the printer. It is a static, readable record that persists in whatever state it happens to be in — on a desk, in a bag, in a bin — until it is deliberately destroyed.

Most sensitive information breaches involving physical documents are not the result of targeted theft. They are the result of documents being discarded without shredding, left in spaces accessible to others, or copied more times than was necessary and tracked less carefully than the original. The vector is neglect, not adversarial effort.

Storage Standards

The appropriate storage for a physical document is determined by what it contains and what the consequence of its exposure would be. The graduated standard is: locked container for sensitive documents in regular use; fireproof safe for documents that are irreplaceable or whose loss creates significant legal or financial consequence; safe deposit or equivalent external secure storage for documents of the highest value that are accessed rarely.

Identity documents and financial instruments sit firmly in the second category. A passport is not replaceable on short notice — it requires time, cost, and the exposure of applying for a replacement. A share certificate, a property deed, or a printed cryptographic backup is in many cases not replaceable at all. These documents warrant a fireproof safe at minimum, not a locked drawer.

Disposal

Cross-cut shredding produces small rectangular fragments that can, with sufficient effort, be reconstructed. Micro-cut shredding produces fragments small enough that reconstruction is not practically achievable. The distinction matters only for documents containing information valuable enough that a motivated adversary might attempt reconstruction — financial account details, identification documents, and cryptographic material. For most routine sensitive documents, cross-cut is sufficient.

The discipline of shredding breaks down in two predictable ways: the shredder is inconveniently located, so documents accumulate in a pile to be shredded later; or the shredder is present but the habit of using it is inconsistent. Both produce the same outcome — a collection of unshredded sensitive documents in an accessible location. The countermeasure is to position the shredder adjacent to the desk and treat shredding as part of the same action as finishing with a document, not a separate task.

Physical Media

USB drives, external hard drives, and other physical storage media are treated in most security frameworks as digital devices with physical form — which they are — but they are also physical objects that can be lost, stolen, or accessed by anyone who picks them up. Deletion from physical media does not destroy the data; it removes the file system reference to it. Recovery of deleted files from physical media is straightforward with standard tools.

The only reliable disposal method for physical media containing sensitive data is physical destruction: shredding, degaussing, or disassembly and destruction of the storage component itself. This applies equally to old hard drives from replaced computers — a retired laptop whose hard drive has been deleted is not a secure disposal. The drive must be destroyed before the machine is discarded, donated, or repurposed.