Submitted:
15 June 2026
Posted:
16 June 2026
You are already at the latest version
Abstract

Keywords:
1. Introduction
2. Methodology
3. Operational Context and Assumptions
3.1. Type of Unit and Environment
3.2. Actors and Roles
| Role | Designation | Responsibilities |
|---|---|---|
| COMSEC/INFOSEC Officer | Officer A | Authorises destruction events; maintains destruction log; issues destruction certificates |
| Document Controller | NCO B | Executes physical destruction; updates document register |
| System Administrator | Technician C | Conducts digital media sanitisation and device tracking |
| Unit Security Officer | Major D | Oversees security compliance; approves classified media disposal under local policy |
| Independent Witness | Officer E (rotated) | Observes destruction; verifies completion; co-signs certificates |
| Auditor (periodic) | External Inspector F | Reviews destruction records and compliance during scheduled audits |
3.3. Relevant Assets
- Printed intelligence reports (SECRET level, 34 pages total) generated during Exercise IRONVEIL, to be destroyed following exercise closure.
- USB solid-state flash drives (3 units, CONFIDENTIAL level) used to transport processed imagery products between workstations.
- Document register (physical and electronic) tracking custody, handling, and lifecycle status of classified items.
- Destruction certificates (Form DS-07, fictional) required for each destruction event under the scenario policy.
- Cross-cut shredder (DIN 66399 Level P-4) used as the unit’s primary paper destruction device.
- Digital media sanitisation workstation intended for media wiping and reuse decisions.
3.4. Classification Levels Considered
3.5. Access Rules and Dependencies
4. Case Description: Timeline and Evidence
4.1. Event Timeline
- T0 —
- Day 1, 09:00: Exercise IRONVEIL concludes. Major D gives NCO B a verbal instruction to dispose of the 34-page SECRET exercise report set and to return three USB drives to the supply pool after sanitisation. No written destruction authorisation is found in the case file. The scenario does not establish whether Officer A was consulted informally before the instruction.
- T1 —
- Day 1, 10:30: NCO B feeds the 34-page document set through the DIN P-4 cross-cut shredder in batches. A paper jam occurs during the second batch. NCO B separates stapled pages, clears the jam, and resumes shredding. Four pages are set aside on a desk and are not returned to the destruction queue. The destruction register is later marked “complete”, but it does not record a page-count reconciliation, a bag seal number, or a witness signature.
- T2 —
- Day 1, 11:15: Technician C collects the three USB drives. The device log states “sanitised — returned to pool”, but the supporting technical evidence shows only operating-system deletion followed by quick-formatting. No approved tool name, command output, device-response log, cryptographic-erase confirmation, verification hash, or sanitisation certificate is retained.
- T3 —
- Day 1, 14:00: Officer E, the designated witness, is recorded as assigned to duties elsewhere. The access-control logs do not place Officer E in the destruction area at T1 or T2. No alternate witness is designated. No Form DS-07 is completed for either the paper or digital-media event.
- T4 —
- Day 3, 08:30: During a routine stocktake, Officer A identifies that the document register records 34 pages issued while the destruction entry contains no verified count. A work-area inspection recovers four intact SECRET pages from the desk used during the paper-jam response. The scenario does not establish who entered the room between T1 and T4 or whether any person read the recovered pages.
- T5 —
- Day 3, 09:15: Officer A escalates the discrepancy to Major D. The USB drives are quarantined pending forensic review. The delay between return-to-pool and quarantine creates uncertainty over whether the devices were reissued, mounted, or otherwise accessed during the intervening period.
- T6 —
- Day 5: An internal forensic examiner creates sector-level images of the USB drives. Recoverable artefacts are identified on all three devices, including residual fragments and metadata consistent with content predating the supposed sanitisation. The report does not establish that complete files were reconstructed, that all artefacts were classified, or that an unauthorised party accessed the data.
4.2. Available Evidence
- Document register (electronic): records issuance of 34 pages and identifies the set as pending destruction after exercise closure. It does not contain a matching verified destruction count.
- Destruction log (physical): contains NCO B’s entry marked “complete”, but no witness signature, no Form DS-07 reference, no bag or batch identifier, and no exception note for the paper jam.
- Device tracking log: records the USB drives as “sanitised — returned to pool”, but does not identify the tool, command, media type decision, verification result, or certificate number.
- Recovered paper pages: four intact SECRET pages recovered from the work surface and logged by Officer A as Exhibit APC-001. The facts support non-destruction; they do not prove that the pages were viewed.
- Forensic disk image report: identifies recoverable artefacts on all three drives, referenced as Exhibits APC-002, APC-003, and APC-004. The scenario leaves unresolved whether the artefacts are complete files, partial content, filenames, thumbnails, directory entries, embedded metadata, or remnants outside the normal file-system view.
- Access-control logs: confirm that Officer E was not present in the destruction area at T1 or T2. They do not provide a complete account of every person who may have entered the broader Restricted Area during the two-day exposure window.
- CCTV and room-use records: treated as potentially relevant but incomplete in the scenario. Their absence is itself an assurance limitation because the investigation cannot independently reconstruct all post-event access.
5. Normative and Procedural Framework
5.1. Applicable Standards and Policies
| Source Type | Reference | Relevance |
|---|---|---|
| Real external standard | NIST SP 800-88 Rev. 1 (2014) — Guidelines for Media Sanitisation | Defines Clear, Purge, and Destroy approaches for digital media and stresses verification of sanitisation outcomes |
| Real external policy reference | NATO INFOSEC Doc AC/35-D/2004-REV2 | Provides an analogue for classified-information handling and destruction governance |
| Real external standard | ISO/IEC 27001:2022 — Annex A, Control 8.10 | Requires controlled deletion procedures for information stored in systems, devices, or other storage media |
| Real external standard | DIN 66399 (2012) — Paper Destruction Standard | Defines security levels for paper destruction (P-1 through P-7); this scenario assumes, as a local policy choice, P-5 or higher for SECRET-equivalent material |
| Fictional national directive | National Security Authority Directive NSA-D-04 | Scenario-specific policy requiring witness co-signature and Form DS-07 for all SECRET and above destruction events |
| Fictional unit procedure | APC SOP 12-03 | Scenario-specific unit-level SOP for classified material lifecycle; found to be outdated and incomplete in this incident |
5.2. Applicable Requirements
- Storage and access: SECRET-level material must be stored in nationally approved secure containers and accessed only by authorised personnel with need-to-know. This is a fictional control assumption, not a universal statement about all jurisdictions.
- Destruction authorisation: Destruction must be authorised in writing by the COMSEC/INFOSEC Officer before work begins. Verbal direction may initiate planning, but it cannot substitute for the authorising record.
- Execution and witnessing: Destruction must be performed in the presence of an independent witness who did not handle the material during its active lifecycle.
- Documentary evidence: A destruction certificate, such as Form DS-07 or equivalent, must be completed, signed by both the executing person and the witness, and retained for the period specified by the fictional national authority.
- Paper destruction: The local policy assumption is that SECRET-equivalent paper requires DIN P-5 or higher. DIN 66399 supplies the particle-size framework; the classification threshold is the scenario’s policy choice rather than a universal mapping between DIN levels and national classification markings [2].
- Digital sanitisation: Removal of files using operating-system commands does not constitute sanitisation. The decision must distinguish media reuse from end-of-life disposal. For magnetic media, overwrite-based Clear or Purge operations may be appropriate when verified. For flash-based devices and SSDs, the selected method must account for wear levelling, over-provisioned blocks, and controller behaviour; cryptographic erase, device-supported sanitize/block-erase commands, verified purge functions, or physical destruction may be required depending on classification, device capability, encryption state, reuse decision, and policy [1,4,6].
- Incident reporting: Suspected incomplete destruction must be reported to the Unit Security Officer and, where appropriate, to the national security authority within defined time frames.
5.3. Responsibilities and Decision Authority
6. Technical-Operational Analysis
6.1. Failure Identification
6.1.1. Procedural Failures
- Absent or non-enforced pre-destruction authorisation: NCO B commenced destruction following a verbal instruction from Major D, without the required written authorisation from Officer A. The SOP requirement for written pre-authorisation was therefore either not understood, not enforced, or treated as optional.
- No page-count verification: The destruction entry was marked complete without reconciling the destroyed page count against the document register. APC SOP 12-03 also contains no explicit checklist item requiring this verification step, which made the omission easier to miss.
- Witness not notified or arranged: No mechanism ensured that Officer E was available and present. The SOP did not define a formal notification process, an alternate-witness procedure, or a hard stop when the designated witness was unavailable.
- Destruction certificate not completed: Form DS-07 was not completed for either the paper or digital event. The requirement appears in NSA-D-04, but it was not embedded in the workflow as a condition for closing the destruction record.
- Digital sanitisation method not specified: APC SOP 12-03 references “sanitisation” of digital media without defining the method, tool, verification output, or escalation path required for different media types. Technician C was left to interpret a technical control without operational criteria.
6.1.2. Technical Failures
- Inadequate shredder security level: DIN 66399 P-4 cross-cut output is materially less restrictive than P-5 output, and this scenario assumes P-5 or higher for SECRET-equivalent material [2]. The paper does not claim that P-4 fragments are always reconstructable. Reassembly risk depends on fragment volume, mixing, print layout, recovery conditions, and adversary capability. The narrower finding is that P-4 should not be accepted where the local policy requires a smaller particle standard.
- No certified media-appropriate sanitisation utility deployed: The media sanitisation workstation lacked an approved tool capable of selecting and verifying an appropriate method for the device type. A quick-format operation typically recreates or clears file-system structures but does not reliably remove underlying content. On flash media, even overwriting can be unreliable because wear levelling, over-provisioned space, and controller behaviour may leave prior data outside the logical address space exposed to the operating system [4,6].
- No post-sanitisation verification: No verification read, device-response log, cryptographic-erase confirmation, hash-based evidence where applicable, or certificate of sanitisation was generated. The record therefore asserted sanitisation without retaining the technical evidence needed to support that assertion.
- Absence of monitoring or logging for destruction events: No system log captured the execution of the sanitisation process. The investigation could examine the drives after the event, but it could not reconstruct a reliable contemporaneous audit trail.
6.1.3. Physical Failures
- Inadequate work-surface discipline: The paper jam response led to documents being set aside on an open desk within a Restricted Area. No procedure required a final physical sweep of the work area, batch tray, shredder feed area, or waste-bag staging point after destruction.
- USB drives returned to pool without physical quarantine: After Technician C’s pseudo-sanitisation, the drives were immediately returned to the communal supply pool. This blurred the distinction between sanitisation for reuse and destruction for disposal, complicated forensic preservation, and weakened continuity of evidence until Officer A quarantined the drives on Day 3.
6.1.4. Human Failures
- Overconfidence in technical procedures: Technician C appears to have equated quick-formatting with certified sanitisation. The available facts support a training gap, but they do not exclude other explanations such as ambiguous local instructions, time pressure, or an informal practice that had not previously been challenged.
- Routine-induced error: NCO B’s handling of the paper jam — setting pages aside to resolve the mechanical issue — is a predictable response under time pressure. The error became consequential because no post-destruction check forced the pages back into the accountability chain.
- Verbal instruction substituting for formal authorisation: Major D’s verbal instruction displaced the required authorisation route and signalled that procedural shortcuts were acceptable when operations were routine.
6.2. Causal Analysis
- 1.
- Training deficiency — Personnel did not demonstrate the level of understanding required for their destruction responsibilities, particularly the distinction between file deletion, formatting, clearing, purging, and destruction.
- 2.
- Equipment mismatch — The paper destruction equipment did not meet the particle-size threshold assumed by the fictional policy for the classification level handled.
- 3.
- Ambiguous digital-media process — The SOP referred to sanitisation but did not define acceptable methods by media type, tool output, verification evidence, or fallback to physical destruction.
- 4.
- Absence of procedural gates — No workflow step required written authorisation, witness presence, form completion, item-count reconciliation, or tool-generated verification before the event could be recorded as complete.
- 5.
- Supervisory bypass — Major D’s verbal instruction displaced the normal authorisation route and made informal execution possible.
6.3. Evidentiary Uncertainty and Alternative Interpretations
6.4. Risk Assessment
| Interpretation | Evidence Needed | Likely Effect |
|---|---|---|
| Best-case interpretation | Complete access reconstruction shows no unsupervised entry; USB drives were not reissued or mounted; recoverable artefacts are limited to non-substantive metadata | Could reduce likelihood from Medium to Low for affected assets, while preserving a compliance finding |
| Most defensible current interpretation | Access reconstruction is incomplete; pages remained intact; artefacts are confirmed but not fully characterised; records lack witness and verification evidence | Supports High pre-treatment risk because accountability and assurance failed |
| Worst-case interpretation | Evidence shows pages were viewed, drives were mounted after return to pool, or substantive classified files were reconstructed | Would strengthen the case for High risk and may increase incident severity beyond the bounded rating used here |
7. Corrective and Preventive Measures
7.1. Corrective Measures (Short-Term)
- CM-1
- Secure the recovered paper pages. Place all four recovered pages into sealed evidence bags, log them as Exhibit APC-001, and store them in the COMSEC Officer’s certified safe pending security authority notification. Owner: Officer A. Evidence and acceptance criterion: exhibit log and safe-custody record signed by Officer A and Major D; all pages accounted for; no further access without authorisation.
- CM-2
- Quarantine and image the USB drives. Quarantine all three USB drives; commission forensic sector-level imaging; retain images and chain-of-custody records; report recoverable content as required. Owner: Technician C under Officer A’s direction. Evidence and acceptance criterion: forensic reports for Exhibits APC-002 to APC-004; chain-of-custody forms; recoverable data catalogued and reported within the defined timeframe.
- CM-3
- Submit a formal incident report. Submit a formal incident report under NSA-D-04 Section 9 (fictional) within 24 hours of confirmed incomplete destruction. Owner: Major D. Evidence and acceptance criterion: filed incident report and authority acknowledgement; report states nature, extent, uncertainties, and immediate containment actions.
- CM-4
- Suspend classified destruction until controls are reset. Suspend classified material destruction pending procedure review, equipment decision, and personnel re-briefing. Owner: Major D. Evidence and acceptance criterion: signed unit order or notice; personnel acknowledgements; no destruction event occurs until the revised SOP is approved and briefed.
7.2. Preventive Measures (Medium/Long-Term)
- PM-1
- Rewrite SOP 12-03 around mandatory gates. The SOP did not define mandatory gates. The revised SOP should require written pre-authorisation, page-count reconciliation, approved paper and digital methods, witness protocol, Form DS-07 completion, and exception handling. Evidence and acceptance criterion: version-controlled SOP approved by command authority; distribution record; all relevant personnel briefed and signed.
- PM-2
- Procure compliant paper-destruction capability. The paper destruction equipment did not meet the scenario’s assumed SECRET-level threshold. The unit should procure and commission DIN P-5 or higher shredding capability and restrict the P-4 unit to material for which it is approved. Evidence and acceptance criterion: equipment certification, commissioning record, updated asset register; no SECRET-level destruction using non-compliant equipment.
- PM-3
- Deploy verified media sanitisation procedures. The digital media process did not distinguish deletion, formatting, clearing, purging, and destruction. The unit should deploy a sanitisation capability aligned with NIST SP 800-88 and local policy, requiring media-type identification, method selection, verification output, and escalation to physical destruction when evidence is insufficient. Evidence and acceptance criterion: tool qualification report, device compatibility matrix, sanitisation certificates, verification logs; unsupported or uncertain media are quarantined or destroyed rather than reused.
- PM-4
- Control witness availability. Witness availability was not controlled. SECRET and above destruction should require primary and alternate witnesses, written witness notification, and a rule that destruction cannot commence without physical presence and co-signature. Evidence and acceptance criterion: witness notification log and co-signed Form DS-07; zero destruction events without the required signature during audit.
- PM-5
- Require item-count and workspace checks. Destruction could be closed without item-count and workspace checks. Form DC-01 should become a mandatory pre/post-destruction checklist covering authorisation reference, item count, method, witness identity, certificate number, workspace sweep, and area reset. Evidence and acceptance criterion: completed Form DC-01 retained with Form DS-07 for each event; all checklist fields complete or exception-approved.
- PM-6
- Demonstrate personnel competence. Personnel lacked demonstrated competence for destruction responsibilities. Training should cover classification handling, SOP obligations, shredder operation, media sanitisation limits, witness role, and form completion within 30 days of SOP publication and annually thereafter. Evidence and acceptance criterion: attendance records, acknowledgement signatures, version-controlled training material; 100% of relevant personnel trained within the required period.
- PM-7
- Test compliance independently. Compliance was not independently tested. The unit should conduct semi-annual internal audits and annual external review of destruction records, device registers, certificates, equipment certification, and exception logs. Evidence and acceptance criterion: audit reports and remediation log; critical findings closed within 30 days; no repeat critical findings in successive audits.
- PM-8
- Manage transition risk. Transition risks could create a destruction backlog or further shortcuts. The unit should establish an implementation sequence for procurement, tool qualification, witness scheduling, and temporary storage. During transition, SECRET paper remains sealed and logged; uncertain removable media remain quarantined. Evidence and acceptance criterion: transition plan, exception register, procurement file, temporary storage log, and weekly status notes; no destruction event occurs under the old process.
7.3. Expected Post-Treatment Risk
8. Lessons Learned and Applicability
8.1. Lessons Learned
Lesson 1 — Certification must be evidence-based.
Lesson 2 — The workflow must stop when evidence is missing.
Lesson 3 — Media reuse and media disposal are different decisions.
Lesson 4 — Procurement is part of security control design.
Lesson 6 — Low-technology controls still matter.
8.2. Case Limits and Assumptions
8.3. Conditions for Generalisation
9. Conclusions
References
- National Archives and Records Administration. 32 CFR Part 117 — National Industrial Security Program Operating Manual. Electronic Code of Federal Regulations. 2026. Available online: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117.
- Deutsches Institut für Normung. DIN 66399: Office machines — Destruction of data carriers (Parts 1–3). DIN, 2012.
- International Organization for Standardization. ISO/IEC 27001:2022: Information security, cybersecurity and privacy protection — Information security management systems — Requirements; ISO. 2022.
- Kissel, R.; Regenscheid, A.; Scholl, M.; Stine, K. NIST Special Publication 800-88 Rev. 1; Guidelines for media sanitization. National Institute of Standards and Technology, 2014. [CrossRef]
- NATO Security Committee. AC/35-D/2004-REV2: Primary directive on INFOSEC; North Atlantic Treaty Organization, 2010. [Google Scholar]
- United Kingdom National Cyber Security Centre. Secure sanitisation and disposal of storage media. NCSC. 2025. Available online: https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media.
- National Institute of Standards and Technology. Cybersecurity Framework (CSF) 2.0. NIST. 2024. Available online: https://www.nist.gov/cyberframework.
- European Union Agency for Cybersecurity. ENISA Threat Landscape 2024. ENISA. 2024. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024.
- National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication 800-53 Rev. 5; NIST. 2020. [Google Scholar] [CrossRef]
- National Institute of Standards and Technology. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST Special Publication 800-171 Rev. 3; NIST. 2024. [Google Scholar] [CrossRef]
- Cybersecurity and Infrastructure Security Agency. Zero Trust Maturity Model Version 2.0. CISA. 2023. Available online: https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model.
- International Organization for Standardization. ISO/IEC 27002:2022: Information security, cybersecurity and privacy protection — Information security controls; ISO. 2022.
| Rating | Likelihood Criteria | Impact Criteria |
|---|---|---|
| Low | Short exposure window; material continuously controlled; residual data not recoverable with ordinary tools; compensating controls documented | Limited sensitivity; no material accountability break; minor procedural correction sufficient |
| Medium | Restricted but non-exclusive access; incomplete access reconstruction; partial residual recoverability; compensating controls absent or undocumented | Classified or sensitive content potentially exposed; reportable compliance issue; command confidence affected |
| High | Material available outside the verified destruction chain; broad or unknown access; recoverable content confirmed; repeated control failure | Serious confidentiality consequences; material accountability lost; likely external notification or suspension of destruction authority |
| Asset | Threat | Impact | Likelihood | Risk Level |
|---|---|---|---|---|
| Recovered SECRET paper pages (4 pp.) | Unauthorised disclosure of intelligence content | High: confidentiality and compliance consequences; actual viewing not established | Medium: access restricted, but pages remained intact for approximately two days and access reconstruction is incomplete | HIGH |
| USB drives (3 units) with recoverable artefacts | Reconstruction of prior classified or sensitive content by an insider or forensic-capable actor | High if artefacts include substantive content; lower if limited to filenames or metadata, but still a compliance failure | Medium: drives were returned to a communal pool for approximately two days; extent of reuse is unresolved | HIGH |
| Document and destruction records | Loss of accountability over classified material and inability to prove certified destruction | Medium–High: record integrity and command assurance impaired | High: the discrepancy and missing certificate are established facts | HIGH |
| Destruction workflow | Repeat failure, audit finding, or temporary suspension of destruction authority | Medium–High: recurring non-compliance would affect operational continuity and external confidence | High: multiple controls failed in a single workflow and no hard stop prevented completion | HIGH |
| Risk Area | Principal Controls Applied | Expected Likelihood | Target Residual Risk |
|---|---|---|---|
| Incomplete destruction of SECRET paper material | P-5 or higher shredder; page-count reconciliation; witness co-signature; post-destruction workspace sweep | Low | LOW |
| Recoverable data on removable digital media | Media-appropriate sanitisation method; verification logs; certificate generation; quarantine of uncertain media | Low–Medium | LOW–MEDIUM |
| Missing documentary evidence and audit trail | Form DS-07; Form DC-01; device register update; retained machine-generated sanitisation evidence | Low | LOW |
| Systemic SOP non-compliance | Revised SOP; hard-stop procedural gates; annual training; semi-annual internal audit and annual external audit | Medium | MEDIUM |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).