Preprint
Article

This version is not peer-reviewed.

Failure in Certified Destruction of Classified Material in Critical Information Systems Environments

Submitted:

15 June 2026

Posted:

16 June 2026

You are already at the latest version

Abstract
This case study analyses a simulated failure in the certified destruction of classified material within a fictional national defence intelligence processing unit. Four SECRET-level printed pages survived a recorded shredding event, and three flash-based USB drives were returned to circulation after logical deletion and quick-formatting rather than verified sanitisation. The central problem was not a single mechanical or technical error; it was a workflow that allowed destruction to be certified without evidence adequate to prove completion. The study reconstructs the event from an intentionally bounded evidence set, separates observed facts from unresolved questions, and maps the failures to procedural, technical, physical, human, and governance controls. Public standards are used as reference points for control design, while the local thresholds and fictional forms remain scenario assumptions. Risk is assessed through explicit likelihood and impact criteria rather than statistical probability. Pre-treatment risk is rated high because material accountability was lost, intact classified pages remained outside the verified destruction chain for approximately two days, and residual digital artefacts were identified on all three drives. The article proposes corrective and preventive controls focused on written authorisation, count reconciliation, witness verification, media-specific sanitisation, quarantine of uncertain media, training, and audit evidence. The findings should be read as a training and control-analysis model, not as proof of a real compromise or as a universal statement of national classification requirements.The findings are particularly relevant for critical information systems environments, where failures in certified destruction processes may affect operational continuity, accountability, resilience, and trust in security governance mechanisms.
Keywords: 
;  ;  ;  ;  ;  ;  ;  ;  ;  ;  ;  

1. Introduction

Four SECRET-level pages survived a certified destruction event. Three USB drives were returned to service even though the supporting record showed only logical deletion and quick-formatting. In that situation, the most serious weakness is not the paper jam or the formatting command alone. Mechanical interruptions and operator mistakes are foreseeable. The more consequential failure is that the organisation could close the destruction process without proving what had been destroyed, by whom, by which method, and with what independent evidence.
In critical information systems environments, certified destruction procedures constitute an essential security control. Failures affecting the disposal of classified information or digital media may compromise operational assurance, regulatory compliance, incident investigation capability, and trust in information security governance.
The lifecycle of classified information therefore does not end when a report is closed, transferred, or superseded. Destruction is a custody and assurance control in its own right. If a destruction record is accepted without a verified item count, an approved method, an independent witness, and retained evidence, the organisation no longer has reliable accountability for the information. A paper document shredded to an insufficient particle size, or a digital file removed only through operating-system deletion, may remain partially or fully recoverable by ordinary forensic methods [4,5].
This article examines that problem through a simulated incident in the Alpha Processing Cell (APC), a fictional national defence intelligence processing unit. The case is situated in the domains of Information Security (INFOSEC) and Communications Security (COMSEC), with emphasis on end-of-life handling of paper records and removable digital media. The classification scheme, unit designations, forms, and personnel names are fictional. The technical principles are drawn from public standards and doctrine, while the specific internal thresholds and forms are scenario assumptions.
The central thesis is that certified destruction fails when certification becomes a clerical act detached from evidence. In the scenario, the visible errors are easy to identify: a paper jam interrupted shredding, and a quick-format command was treated as sanitisation. Those errors matter, but they became serious because the workflow lacked mandatory recovery steps, witness controls, page-count reconciliation, technical verification, and documentary gates.
The study has three aims. First, it reconstructs the incident while distinguishing confirmed facts from unresolved questions. Second, it identifies immediate and contributing failures across procedure, technology, workspace discipline, training, supervision, and procurement. Third, it proposes controls that are testable: each remedy must produce evidence capable of review by a supervisor, auditor, or security authority.
Scope and limitations: The scenario is simulated and is intended for control analysis and training. It is not evidence of a real incident, nor does it establish actual unauthorised disclosure. The event is treated as a potential compromise because accountability was broken; the analysis preserves the distinction between recoverability, loss of custody, and proven access.

2. Methodology

The article uses a qualitative incident-analysis method rather than a quantitative risk model. That choice follows from the evidence available in the scenario. There is no statistical population of comparable destruction failures, no measured adversary intent, and no complete reconstruction of access during the exposure window. Assigning a numerical probability would therefore imply a precision that the case cannot support. The analysis instead combines evidence reconstruction, control mapping, and bounded risk judgement.
The method proceeds in four steps. First, Section 4 separates established facts from open questions. Second, the failures are mapped to five control families: procedural, technical, physical, human, and governance/procurement. Third, the causal analysis distinguishes triggering events from enabling conditions. Fourth, risk is assessed through explicit likelihood and impact criteria so that the rating can be challenged, not merely accepted.
This approach is narrower than a full fault-tree analysis or bow-tie model. It is also intentionally more concrete than a checklist review because each recommendation is linked to a specific evidential weakness. Its main limitation is that it cannot prove intent, disclosure, or exact digital recoverability beyond the facts supplied by the scenario. Where the evidence is incomplete, the article states the uncertainty rather than filling the gap with assumed facts.
The standards cited in Section 5 are used as reference points rather than as binding law for the fictional organisation. NIST SP 800-88 frames the distinction between deletion, clearing, purging, and destruction of digital media. DIN 66399 provides a paper-destruction vocabulary and particle-size categories. ISO/IEC 27001 and NATO policy provide governance analogues for controlled deletion, accountability, and classified-information handling. Fictional instruments such as NSA-D-04, APC SOP 12-03, Form DS-07, and Form DC-01 define the local requirements assumed for this scenario.
Risk is assessed qualitatively. Likelihood is inferred from exposure duration, access conditions, residual recoverability, evidence gaps, and compensating controls. Impact is inferred from classification level, compliance consequences, operational sensitivity, and the degree to which accountability can be reconstructed. The resulting judgement is conservative but bounded: the event is treated as a potential compromise until containment and review are complete, but the analysis does not state that unauthorised access occurred.

3. Operational Context and Assumptions

3.1. Type of Unit and Environment

The scenario is set within the Alpha Processing Cell (APC), a fictitious subordinate element of a national defence organisation responsible for receiving, processing, and forwarding intelligence reports to command echelons. The APC operates from a SCIF-equivalent Restricted Area with controlled entry and two-person integrity rules for the innermost working spaces.
The APC regularly handles material classified at RESTRICTED, CONFIDENTIAL, and SECRET levels under the fictional national scheme. At end-of-life, such material must be destroyed under internally approved Standard Operating Procedures (SOPs) and relevant national authority guidance. The scenario assumes ordinary operational constraints: limited destruction windows, shared equipment, rotating witness availability, and a supply pool for removable media. These constraints do not excuse the failure. They explain why shortcuts can become normal if the workflow does not contain hard stops.

3.2. Actors and Roles

Table 1. APC Roles and Responsibilities.
Table 1. APC Roles and Responsibilities.
Role Designation Responsibilities
COMSEC/INFOSEC Officer Officer A Authorises destruction events; maintains destruction log; issues destruction certificates
Document Controller NCO B Executes physical destruction; updates document register
System Administrator Technician C Conducts digital media sanitisation and device tracking
Unit Security Officer Major D Oversees security compliance; approves classified media disposal under local policy
Independent Witness Officer E (rotated) Observes destruction; verifies completion; co-signs certificates
Auditor (periodic) External Inspector F Reviews destruction records and compliance during scheduled audits

3.3. Relevant Assets

  • Printed intelligence reports (SECRET level, 34 pages total) generated during Exercise IRONVEIL, to be destroyed following exercise closure.
  • USB solid-state flash drives (3 units, CONFIDENTIAL level) used to transport processed imagery products between workstations.
  • Document register (physical and electronic) tracking custody, handling, and lifecycle status of classified items.
  • Destruction certificates (Form DS-07, fictional) required for each destruction event under the scenario policy.
  • Cross-cut shredder (DIN 66399 Level P-4) used as the unit’s primary paper destruction device.
  • Digital media sanitisation workstation intended for media wiping and reuse decisions.

3.4. Classification Levels Considered

All classification levels in this study are fictional constructs used to illustrate procedural requirements. No real classification markings, codewords, or protected information are used. Levels referenced (RESTRICTED, CONFIDENTIAL, SECRET) correspond to illustrative tiers with increasing handling and destruction requirements.

3.5. Access Rules and Dependencies

Access to classified material is governed by need-to-know and formal access authorisation. The destruction process requires: (a) authorisation by the COMSEC/INFOSEC Officer; (b) execution by the Document Controller or System Administrator; and (c) independent verification by a witness who did not perform the destruction. This three-party segregation is intended to prevent accidental and deliberate failures from being recorded as completed destruction.

4. Case Description: Timeline and Evidence

4.1. Event Timeline

T0 
Day 1, 09:00: Exercise IRONVEIL concludes. Major D gives NCO B a verbal instruction to dispose of the 34-page SECRET exercise report set and to return three USB drives to the supply pool after sanitisation. No written destruction authorisation is found in the case file. The scenario does not establish whether Officer A was consulted informally before the instruction.
T1 
Day 1, 10:30: NCO B feeds the 34-page document set through the DIN P-4 cross-cut shredder in batches. A paper jam occurs during the second batch. NCO B separates stapled pages, clears the jam, and resumes shredding. Four pages are set aside on a desk and are not returned to the destruction queue. The destruction register is later marked “complete”, but it does not record a page-count reconciliation, a bag seal number, or a witness signature.
T2 
Day 1, 11:15: Technician C collects the three USB drives. The device log states “sanitised — returned to pool”, but the supporting technical evidence shows only operating-system deletion followed by quick-formatting. No approved tool name, command output, device-response log, cryptographic-erase confirmation, verification hash, or sanitisation certificate is retained.
T3 
Day 1, 14:00: Officer E, the designated witness, is recorded as assigned to duties elsewhere. The access-control logs do not place Officer E in the destruction area at T1 or T2. No alternate witness is designated. No Form DS-07 is completed for either the paper or digital-media event.
T4 
Day 3, 08:30: During a routine stocktake, Officer A identifies that the document register records 34 pages issued while the destruction entry contains no verified count. A work-area inspection recovers four intact SECRET pages from the desk used during the paper-jam response. The scenario does not establish who entered the room between T1 and T4 or whether any person read the recovered pages.
T5 
Day 3, 09:15: Officer A escalates the discrepancy to Major D. The USB drives are quarantined pending forensic review. The delay between return-to-pool and quarantine creates uncertainty over whether the devices were reissued, mounted, or otherwise accessed during the intervening period.
T6 
Day 5: An internal forensic examiner creates sector-level images of the USB drives. Recoverable artefacts are identified on all three devices, including residual fragments and metadata consistent with content predating the supposed sanitisation. The report does not establish that complete files were reconstructed, that all artefacts were classified, or that an unauthorised party accessed the data.

4.2. Available Evidence

  • Document register (electronic): records issuance of 34 pages and identifies the set as pending destruction after exercise closure. It does not contain a matching verified destruction count.
  • Destruction log (physical): contains NCO B’s entry marked “complete”, but no witness signature, no Form DS-07 reference, no bag or batch identifier, and no exception note for the paper jam.
  • Device tracking log: records the USB drives as “sanitised — returned to pool”, but does not identify the tool, command, media type decision, verification result, or certificate number.
  • Recovered paper pages: four intact SECRET pages recovered from the work surface and logged by Officer A as Exhibit APC-001. The facts support non-destruction; they do not prove that the pages were viewed.
  • Forensic disk image report: identifies recoverable artefacts on all three drives, referenced as Exhibits APC-002, APC-003, and APC-004. The scenario leaves unresolved whether the artefacts are complete files, partial content, filenames, thumbnails, directory entries, embedded metadata, or remnants outside the normal file-system view.
  • Access-control logs: confirm that Officer E was not present in the destruction area at T1 or T2. They do not provide a complete account of every person who may have entered the broader Restricted Area during the two-day exposure window.
  • CCTV and room-use records: treated as potentially relevant but incomplete in the scenario. Their absence is itself an assurance limitation because the investigation cannot independently reconstruct all post-event access.
The evidence therefore supports three findings and one important boundary. It supports incomplete paper destruction, inadequate digital sanitisation, and deficient accountability. It does not establish actual viewing of the pages, reconstruction of full classified files, or disclosure outside the Restricted Area.

5. Normative and Procedural Framework

5.1. Applicable Standards and Policies

The framework separates public reference standards from fictional organisational instruments. NIST SP 800-88, ISO/IEC 27001, DIN 66399, NATO policy, and related technical guidance are used to structure the analysis; they are not presented as the direct legal basis for the APC. NSA-D-04, APC SOP 12-03, Form DS-07, and Form DC-01 are fictional artefacts created for the scenario. This distinction avoids a circular argument: the article does not claim that a fictional rule proves a real-world legal breach. Instead, the fictional rule provides a test case for control principles that appear in public guidance on sanitisation, deletion, accountability, and classified-information handling.
Table 2. Reference Standards, Policies, and Their Relevance.
Table 2. Reference Standards, Policies, and Their Relevance.
Source Type Reference Relevance
Real external standard NIST SP 800-88 Rev. 1 (2014) — Guidelines for Media Sanitisation Defines Clear, Purge, and Destroy approaches for digital media and stresses verification of sanitisation outcomes
Real external policy reference NATO INFOSEC Doc AC/35-D/2004-REV2 Provides an analogue for classified-information handling and destruction governance
Real external standard ISO/IEC 27001:2022 — Annex A, Control 8.10 Requires controlled deletion procedures for information stored in systems, devices, or other storage media
Real external standard DIN 66399 (2012) — Paper Destruction Standard Defines security levels for paper destruction (P-1 through P-7); this scenario assumes, as a local policy choice, P-5 or higher for SECRET-equivalent material
Fictional national directive National Security Authority Directive NSA-D-04 Scenario-specific policy requiring witness co-signature and Form DS-07 for all SECRET and above destruction events
Fictional unit procedure APC SOP 12-03 Scenario-specific unit-level SOP for classified material lifecycle; found to be outdated and incomplete in this incident

5.2. Applicable Requirements

For this scenario, the following requirements define the expected destruction process:
  • Storage and access: SECRET-level material must be stored in nationally approved secure containers and accessed only by authorised personnel with need-to-know. This is a fictional control assumption, not a universal statement about all jurisdictions.
  • Destruction authorisation: Destruction must be authorised in writing by the COMSEC/INFOSEC Officer before work begins. Verbal direction may initiate planning, but it cannot substitute for the authorising record.
  • Execution and witnessing: Destruction must be performed in the presence of an independent witness who did not handle the material during its active lifecycle.
  • Documentary evidence: A destruction certificate, such as Form DS-07 or equivalent, must be completed, signed by both the executing person and the witness, and retained for the period specified by the fictional national authority.
  • Paper destruction: The local policy assumption is that SECRET-equivalent paper requires DIN P-5 or higher. DIN 66399 supplies the particle-size framework; the classification threshold is the scenario’s policy choice rather than a universal mapping between DIN levels and national classification markings [2].
  • Digital sanitisation: Removal of files using operating-system commands does not constitute sanitisation. The decision must distinguish media reuse from end-of-life disposal. For magnetic media, overwrite-based Clear or Purge operations may be appropriate when verified. For flash-based devices and SSDs, the selected method must account for wear levelling, over-provisioned blocks, and controller behaviour; cryptographic erase, device-supported sanitize/block-erase commands, verified purge functions, or physical destruction may be required depending on classification, device capability, encryption state, reuse decision, and policy [1,4,6].
  • Incident reporting: Suspected incomplete destruction must be reported to the Unit Security Officer and, where appropriate, to the national security authority within defined time frames.

5.3. Responsibilities and Decision Authority

The authorisation to destroy rests with the COMSEC/INFOSEC Officer (Officer A), subject to approval by the Unit Security Officer (Major D) for SECRET-level material under the scenario policy. Execution is delegated to the Document Controller or System Administrator. Verification is assigned to an independent witness. No single person may both execute and verify destruction. The Unit Security Officer retains command accountability for compliance within the unit, but that accountability does not make verbal instruction a substitute for the written destruction record.

6. Technical-Operational Analysis

6.1. Failure Identification

6.1.1. Procedural Failures

  • Absent or non-enforced pre-destruction authorisation: NCO B commenced destruction following a verbal instruction from Major D, without the required written authorisation from Officer A. The SOP requirement for written pre-authorisation was therefore either not understood, not enforced, or treated as optional.
  • No page-count verification: The destruction entry was marked complete without reconciling the destroyed page count against the document register. APC SOP 12-03 also contains no explicit checklist item requiring this verification step, which made the omission easier to miss.
  • Witness not notified or arranged: No mechanism ensured that Officer E was available and present. The SOP did not define a formal notification process, an alternate-witness procedure, or a hard stop when the designated witness was unavailable.
  • Destruction certificate not completed: Form DS-07 was not completed for either the paper or digital event. The requirement appears in NSA-D-04, but it was not embedded in the workflow as a condition for closing the destruction record.
  • Digital sanitisation method not specified: APC SOP 12-03 references “sanitisation” of digital media without defining the method, tool, verification output, or escalation path required for different media types. Technician C was left to interpret a technical control without operational criteria.

6.1.2. Technical Failures

  • Inadequate shredder security level: DIN 66399 P-4 cross-cut output is materially less restrictive than P-5 output, and this scenario assumes P-5 or higher for SECRET-equivalent material [2]. The paper does not claim that P-4 fragments are always reconstructable. Reassembly risk depends on fragment volume, mixing, print layout, recovery conditions, and adversary capability. The narrower finding is that P-4 should not be accepted where the local policy requires a smaller particle standard.
  • No certified media-appropriate sanitisation utility deployed: The media sanitisation workstation lacked an approved tool capable of selecting and verifying an appropriate method for the device type. A quick-format operation typically recreates or clears file-system structures but does not reliably remove underlying content. On flash media, even overwriting can be unreliable because wear levelling, over-provisioned space, and controller behaviour may leave prior data outside the logical address space exposed to the operating system [4,6].
  • No post-sanitisation verification: No verification read, device-response log, cryptographic-erase confirmation, hash-based evidence where applicable, or certificate of sanitisation was generated. The record therefore asserted sanitisation without retaining the technical evidence needed to support that assertion.
  • Absence of monitoring or logging for destruction events: No system log captured the execution of the sanitisation process. The investigation could examine the drives after the event, but it could not reconstruct a reliable contemporaneous audit trail.

6.1.3. Physical Failures

  • Inadequate work-surface discipline: The paper jam response led to documents being set aside on an open desk within a Restricted Area. No procedure required a final physical sweep of the work area, batch tray, shredder feed area, or waste-bag staging point after destruction.
  • USB drives returned to pool without physical quarantine: After Technician C’s pseudo-sanitisation, the drives were immediately returned to the communal supply pool. This blurred the distinction between sanitisation for reuse and destruction for disposal, complicated forensic preservation, and weakened continuity of evidence until Officer A quarantined the drives on Day 3.

6.1.4. Human Failures

  • Overconfidence in technical procedures: Technician C appears to have equated quick-formatting with certified sanitisation. The available facts support a training gap, but they do not exclude other explanations such as ambiguous local instructions, time pressure, or an informal practice that had not previously been challenged.
  • Routine-induced error: NCO B’s handling of the paper jam — setting pages aside to resolve the mechanical issue — is a predictable response under time pressure. The error became consequential because no post-destruction check forced the pages back into the accountability chain.
  • Verbal instruction substituting for formal authorisation: Major D’s verbal instruction displaced the required authorisation route and signalled that procedural shortcuts were acceptable when operations were routine.

6.2. Causal Analysis

The most defensible root-cause finding is the absence of a complete, enforced, and tested destruction procedure for paper and digital classified material. APC SOP 12-03 existed in name, but it did not translate the policy requirement into operational gates that personnel had to satisfy before destruction could proceed. The incident therefore reflects a control-system failure, not merely an individual lapse.
The contributing factors are separable but connected:
1.
Training deficiency — Personnel did not demonstrate the level of understanding required for their destruction responsibilities, particularly the distinction between file deletion, formatting, clearing, purging, and destruction.
2.
Equipment mismatch — The paper destruction equipment did not meet the particle-size threshold assumed by the fictional policy for the classification level handled.
3.
Ambiguous digital-media process — The SOP referred to sanitisation but did not define acceptable methods by media type, tool output, verification evidence, or fallback to physical destruction.
4.
Absence of procedural gates — No workflow step required written authorisation, witness presence, form completion, item-count reconciliation, or tool-generated verification before the event could be recorded as complete.
5.
Supervisory bypass — Major D’s verbal instruction displaced the normal authorisation route and made informal execution possible.
The causal chain is therefore better expressed as: incomplete SOP → informal authorisation → ungated execution → incomplete paper destruction and inadequate digital sanitisation → weak evidence of completion → delayed discovery through stocktake and forensic review.
This conclusion leaves room for competing interpretations. The paper-handling failure may be routine-induced error during a paper jam, not intentional non-compliance. The digital-media failure may reflect misunderstanding rather than concealment. The absence of a witness may reflect scheduling failure rather than a deliberate decision to evade control. Those interpretations do not reduce the seriousness of the incident. They explain why the remedy must address procedure, supervision, equipment, and training rather than only individual discipline.

6.3. Evidentiary Uncertainty and Alternative Interpretations

The available evidence supports a finding of incomplete destruction and inadequate sanitisation. It does not by itself prove hostile access, full reconstruction of classified files, or disclosure outside the Restricted Area. The recovered paper pages establish physical non-destruction. The forensic report establishes residual recoverability on the USB drives after quick-formatting. The access-control logs establish that the designated witness was not present. Together, these facts justify escalation and conservative risk treatment.
Several uncertainties remain relevant to risk judgement. The scenario does not identify who entered the work area between T1 and T4, whether any person viewed the four intact pages, whether the USB drives were used after being returned to the pool, or what proportion of the prior digital content was recoverable. These gaps mean that the event should be treated as a potential compromise and a compliance failure, while avoiding an unsupported conclusion that compromise actually occurred.
A brief comparison to common control classes helps clarify the general relevance of the scenario. The event combines familiar weaknesses: incomplete destruction records, reuse of removable media without defensible sanitisation evidence, weak witness procedures, and reliance on informal supervisory direction. The case is fictional, but those control classes are not unusual within security-audit logic. Its value is therefore not empirical frequency; it is the way the scenario shows how small omissions interact when certification is allowed to close the evidential gap.

6.4. Risk Assessment

Risk is assessed using a three-level likelihood–impact matrix. The scoring is qualitative, but the criteria are explicit. Impact is rated according to confidentiality harm, compliance consequences, operational sensitivity, and loss of accountability. Likelihood is rated according to exposure window, number and type of people with possible access, technical recoverability, and the presence or absence of compensating controls. Table 3 defines the interpretation used in this article.
The combined rating follows a conservative rule: High impact with Medium or High likelihood is treated as High risk; Medium–High impact with High likelihood is also treated as High where the compliance failure has already occurred. This rule does not mean that every uncertainty automatically becomes High. Evidence that materially narrows exposure, proves continuous custody, or shows that artefacts were non-substantive would reduce likelihood and could support a lower rating.
Table 4. Sensitivity of the Risk Judgement to Alternative Interpretations.
Table 4. Sensitivity of the Risk Judgement to Alternative Interpretations.
Interpretation Evidence Needed Likely Effect
Best-case interpretation Complete access reconstruction shows no unsupervised entry; USB drives were not reissued or mounted; recoverable artefacts are limited to non-substantive metadata Could reduce likelihood from Medium to Low for affected assets, while preserving a compliance finding
Most defensible current interpretation Access reconstruction is incomplete; pages remained intact; artefacts are confirmed but not fully characterised; records lack witness and verification evidence Supports High pre-treatment risk because accountability and assurance failed
Worst-case interpretation Evidence shows pages were viewed, drives were mounted after return to pool, or substantive classified files were reconstructed Would strengthen the case for High risk and may increase incident severity beyond the bounded rating used here
The assessment distinguishes three states: pre-treatment risk, immediate post-containment risk, and target residual risk. Table 5 addresses the first state, before the corrective and preventive measures in Section 7 are implemented.
Overall pre-treatment risk is assessed as HIGH. The rating is based on recoverability, loss of accountability, and evidentiary uncertainty, not on proven disclosure. Immediate containment reduces exposure by securing the paper pages and quarantining the drives, but it does not by itself repair the systemic failure. Residual risk should therefore be assessed only after the revised process has operated and been audited.

7. Corrective and Preventive Measures

The response should not be limited to discipline or retraining. The incident arose because the process could produce a completed destruction record without the evidence that made completion credible. Corrective measures therefore preserve evidence and contain uncertainty; preventive measures redesign the workflow so that a similar event cannot be closed without authorisation, witness verification, technical proof, and audit-ready records.

7.1. Corrective Measures (Short-Term)

The immediate corrective measures are deliberately narrow. Their purpose is to preserve evidence, prevent further exposure, and create a defensible record before any wider remediation begins.
CM-1 
Secure the recovered paper pages. Place all four recovered pages into sealed evidence bags, log them as Exhibit APC-001, and store them in the COMSEC Officer’s certified safe pending security authority notification. Owner: Officer A. Evidence and acceptance criterion: exhibit log and safe-custody record signed by Officer A and Major D; all pages accounted for; no further access without authorisation.
CM-2 
Quarantine and image the USB drives. Quarantine all three USB drives; commission forensic sector-level imaging; retain images and chain-of-custody records; report recoverable content as required. Owner: Technician C under Officer A’s direction. Evidence and acceptance criterion: forensic reports for Exhibits APC-002 to APC-004; chain-of-custody forms; recoverable data catalogued and reported within the defined timeframe.
CM-3 
Submit a formal incident report. Submit a formal incident report under NSA-D-04 Section 9 (fictional) within 24 hours of confirmed incomplete destruction. Owner: Major D. Evidence and acceptance criterion: filed incident report and authority acknowledgement; report states nature, extent, uncertainties, and immediate containment actions.
CM-4 
Suspend classified destruction until controls are reset. Suspend classified material destruction pending procedure review, equipment decision, and personnel re-briefing. Owner: Major D. Evidence and acceptance criterion: signed unit order or notice; personnel acknowledgements; no destruction event occurs until the revised SOP is approved and briefed.

7.2. Preventive Measures (Medium/Long-Term)

The preventive measures below connect each recommendation to the failure it addresses and to the evidence it must produce. They are presented as implementation requirements rather than as a compliance table, because the key issue in the incident was not the absence of paperwork alone but the absence of hard procedural gates that made the paperwork reliable.
PM-1 
Rewrite SOP 12-03 around mandatory gates. The SOP did not define mandatory gates. The revised SOP should require written pre-authorisation, page-count reconciliation, approved paper and digital methods, witness protocol, Form DS-07 completion, and exception handling. Evidence and acceptance criterion: version-controlled SOP approved by command authority; distribution record; all relevant personnel briefed and signed.
PM-2 
Procure compliant paper-destruction capability. The paper destruction equipment did not meet the scenario’s assumed SECRET-level threshold. The unit should procure and commission DIN P-5 or higher shredding capability and restrict the P-4 unit to material for which it is approved. Evidence and acceptance criterion: equipment certification, commissioning record, updated asset register; no SECRET-level destruction using non-compliant equipment.
PM-3 
Deploy verified media sanitisation procedures. The digital media process did not distinguish deletion, formatting, clearing, purging, and destruction. The unit should deploy a sanitisation capability aligned with NIST SP 800-88 and local policy, requiring media-type identification, method selection, verification output, and escalation to physical destruction when evidence is insufficient. Evidence and acceptance criterion: tool qualification report, device compatibility matrix, sanitisation certificates, verification logs; unsupported or uncertain media are quarantined or destroyed rather than reused.
PM-4 
Control witness availability. Witness availability was not controlled. SECRET and above destruction should require primary and alternate witnesses, written witness notification, and a rule that destruction cannot commence without physical presence and co-signature. Evidence and acceptance criterion: witness notification log and co-signed Form DS-07; zero destruction events without the required signature during audit.
PM-5 
Require item-count and workspace checks. Destruction could be closed without item-count and workspace checks. Form DC-01 should become a mandatory pre/post-destruction checklist covering authorisation reference, item count, method, witness identity, certificate number, workspace sweep, and area reset. Evidence and acceptance criterion: completed Form DC-01 retained with Form DS-07 for each event; all checklist fields complete or exception-approved.
PM-6 
Demonstrate personnel competence. Personnel lacked demonstrated competence for destruction responsibilities. Training should cover classification handling, SOP obligations, shredder operation, media sanitisation limits, witness role, and form completion within 30 days of SOP publication and annually thereafter. Evidence and acceptance criterion: attendance records, acknowledgement signatures, version-controlled training material; 100% of relevant personnel trained within the required period.
PM-7 
Test compliance independently. Compliance was not independently tested. The unit should conduct semi-annual internal audits and annual external review of destruction records, device registers, certificates, equipment certification, and exception logs. Evidence and acceptance criterion: audit reports and remediation log; critical findings closed within 30 days; no repeat critical findings in successive audits.
PM-8 
Manage transition risk. Transition risks could create a destruction backlog or further shortcuts. The unit should establish an implementation sequence for procurement, tool qualification, witness scheduling, and temporary storage. During transition, SECRET paper remains sealed and logged; uncertain removable media remain quarantined. Evidence and acceptance criterion: transition plan, exception register, procurement file, temporary storage log, and weekly status notes; no destruction event occurs under the old process.

7.3. Expected Post-Treatment Risk

Table 6 maps the main controls to the risks identified in Table 5. The ratings assume that the controls are fully implemented, personnel are trained, equipment has been commissioned, and at least one follow-up audit confirms that the process is operating as designed. They should therefore be read as target residual-risk ratings, not as immediate post-incident conditions.
The residual risk is not uniformly LOW. Digital media remains at LOW–MEDIUM because flash devices may not expose all storage locations to software tools, and systemic SOP compliance remains MEDIUM until repeated audits demonstrate durable behavioural change. This conservative rating avoids overstating the effect of a single procedural revision.

8. Lessons Learned and Applicability

8.1. Lessons Learned

Lesson 1 — Certification must be evidence-based.

A destruction certificate is not reliable because it exists. It is reliable only when it is tied to a verified item count, an approved method, an independent witness, and retained technical or physical evidence. The failure in this case is therefore not only incomplete destruction, but unsupported certification.

Lesson 2 — The workflow must stop when evidence is missing.

Form DS-07, Form DC-01, witness co-signature, and machine-generated sanitisation records should operate as hard gates. If a required element is absent, the event should remain open or be escalated. A checklist that can be completed retrospectively without verification is a record-keeping exercise, not a control.

Lesson 3 — Media reuse and media disposal are different decisions.

The USB drives were treated as if quick-formatting made them safe for return to the supply pool. A defensible process must first decide whether reuse is authorised. Only then should it select a sanitisation method. Where the device cannot provide reliable evidence, physical destruction or continued quarantine is more defensible than reuse.

Lesson 4 — Procurement is part of security control design.

The DIN P-4 shredder was available, but availability did not make it appropriate for the classification level assumed in this scenario. Equipment selection should be linked to the highest classification handled, expected destruction volume, waste handling, certification evidence, and maintenance requirements.

Lesson 5 — Informal authority creates ambiguous accountability.

Major D’s verbal instruction may have been operationally convenient, but it displaced the normal authorisation chain. Written authorisation identifies the decision-maker, the material, the approved method, and the person accountable for accepting residual risk.

Lesson 6 — Low-technology controls still matter.

A final work-surface sweep and page-count reconciliation would probably have identified the four intact pages before the destruction entry was closed. The case shows that simple controls are effective when they are mandatory, witnessed, and auditable.

8.2. Case Limits and Assumptions

This case is entirely simulated. The operational context, personnel, unit designations, classification levels, forms, and policy references are fictitious. The technical findings are realistic in the limited sense that they reflect public guidance on paper destruction and digital media sanitisation, but they are not drawn from a real incident.
The scenario deliberately concentrates several failure modes in one event. That concentration is useful for training and control analysis, but it makes the case more orderly than many real investigations. A real incident would likely include incomplete records, contested recollections, uncertain CCTV retention, unclear room occupancy, and disagreement over whether local practice had silently diverged from written policy.
The article also does not test organisational culture empirically. It identifies normalised shortcuts as a plausible enabling condition because the workflow permitted verbal direction, retrospective closure, and unsupported sanitisation claims. A real investigation would need interviews, historical audit records, and supervision data before making firmer claims about culture or intent.

8.3. Conditions for Generalisation

The failure patterns identified — procedural incompleteness, equipment mismatch, training deficit, absent oversight, weak evidence, and normalised shortcuts — are generalisable as control categories across organisations that handle sensitive or regulated information. Potentially relevant settings include military and intelligence units, law enforcement agencies, financial institutions, healthcare organisations, and enterprises processing personal data under GDPR or equivalent frameworks. The standards cited here may inform controls in those settings, but implementation must be adapted to the applicable legal authority, classification regime, retention obligations, media types, available equipment, and organisational risk appetite [2,3,4].

9. Conclusions

This case study examined a simulated failure in the certified destruction of classified material. The incident involved two linked disposal failures: four SECRET-level printed pages remained intact after a shredding event, and three removable flash drives retained recoverable artefacts after logical deletion and quick-formatting. The available evidence supports findings of incomplete destruction, inadequate sanitisation, and deficient accountability. It does not prove that an unauthorised person viewed the paper pages or reconstructed complete digital files.
The strongest conclusion is that the APC accepted destruction as complete without evidence sufficient to support that conclusion. Procedurally, the workflow lacked enforceable gates for written authorisation, count reconciliation, witness verification, and certificate completion. Technically, the paper destruction equipment and digital sanitisation process were not matched to the scenario’s assumed classification requirements. Physically, the work surface and removable media were not controlled after the event. At the human and supervisory levels, routine pressure, ambiguous instructions, and verbal direction allowed informal practice to replace accountable procedure.
The risk rating is intentionally bounded. It is High before treatment because accountability was lost, intact pages remained outside the verified destruction chain, and digital recoverability was confirmed. It is not High because the article assumes espionage, hostile access, or full reconstruction of files. Better evidence could reduce the likelihood component; worse evidence could increase incident severity. The analysis therefore treats uncertainty as a reason for containment and investigation, not as a licence to overstate what happened.
The proposed measures address containment, recurrence prevention, and assurance. Immediate actions secure the recovered pages, quarantine the drives, report the incident, and freeze further destruction until the process is reviewed. Longer-term controls revise the SOP, upgrade paper destruction capability, define media-specific sanitisation decisions, require witness verification, introduce destruction checklists, train personnel, and audit compliance. The implementation sequence is important: if compliant equipment or qualified tools are not yet available, material should remain sealed or quarantined rather than processed under the defective workflow.
The broader lesson is that certified destruction depends less on any single form, tool, or checklist than on the combined operation of policy, equipment, records, supervision, training, and independent verification. A certificate closes a custody chain only when the organisation can show why the certificate should be trusted. From a critical information systems perspective, effective destruction procedures, media sanitisation controls, and reliable audit evidence are fundamental requirements for maintaining accountability, resilience, and trust throughout the information lifecycle. The case demonstrates how seemingly routine destruction failures may generate systemic risks in critical information systems environments.

References

  1. National Archives and Records Administration. 32 CFR Part 117 — National Industrial Security Program Operating Manual. Electronic Code of Federal Regulations. 2026. Available online: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117.
  2. Deutsches Institut für Normung. DIN 66399: Office machines — Destruction of data carriers (Parts 1–3). DIN, 2012.
  3. International Organization for Standardization. ISO/IEC 27001:2022: Information security, cybersecurity and privacy protection — Information security management systems — Requirements; ISO. 2022.
  4. Kissel, R.; Regenscheid, A.; Scholl, M.; Stine, K. NIST Special Publication 800-88 Rev. 1; Guidelines for media sanitization. National Institute of Standards and Technology, 2014. [CrossRef]
  5. NATO Security Committee. AC/35-D/2004-REV2: Primary directive on INFOSEC; North Atlantic Treaty Organization, 2010. [Google Scholar]
  6. United Kingdom National Cyber Security Centre. Secure sanitisation and disposal of storage media. NCSC. 2025. Available online: https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media.
  7. National Institute of Standards and Technology. Cybersecurity Framework (CSF) 2.0. NIST. 2024. Available online: https://www.nist.gov/cyberframework.
  8. European Union Agency for Cybersecurity. ENISA Threat Landscape 2024. ENISA. 2024. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024.
  9. National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication 800-53 Rev. 5; NIST. 2020. [Google Scholar] [CrossRef]
  10. National Institute of Standards and Technology. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST Special Publication 800-171 Rev. 3; NIST. 2024. [Google Scholar] [CrossRef]
  11. Cybersecurity and Infrastructure Security Agency. Zero Trust Maturity Model Version 2.0. CISA. 2023. Available online: https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model.
  12. International Organization for Standardization. ISO/IEC 27002:2022: Information security, cybersecurity and privacy protection — Information security controls; ISO. 2022.
Table 3. Qualitative Rating Criteria Used in the Scenario.
Table 3. Qualitative Rating Criteria Used in the Scenario.
Rating Likelihood Criteria Impact Criteria
Low Short exposure window; material continuously controlled; residual data not recoverable with ordinary tools; compensating controls documented Limited sensitivity; no material accountability break; minor procedural correction sufficient
Medium Restricted but non-exclusive access; incomplete access reconstruction; partial residual recoverability; compensating controls absent or undocumented Classified or sensitive content potentially exposed; reportable compliance issue; command confidence affected
High Material available outside the verified destruction chain; broad or unknown access; recoverable content confirmed; repeated control failure Serious confidentiality consequences; material accountability lost; likely external notification or suspension of destruction authority
Table 5. Risk Assessment Prior to Corrective Measures.
Table 5. Risk Assessment Prior to Corrective Measures.
Asset Threat Impact Likelihood Risk Level
Recovered SECRET paper pages (4 pp.) Unauthorised disclosure of intelligence content High: confidentiality and compliance consequences; actual viewing not established Medium: access restricted, but pages remained intact for approximately two days and access reconstruction is incomplete HIGH
USB drives (3 units) with recoverable artefacts Reconstruction of prior classified or sensitive content by an insider or forensic-capable actor High if artefacts include substantive content; lower if limited to filenames or metadata, but still a compliance failure Medium: drives were returned to a communal pool for approximately two days; extent of reuse is unresolved HIGH
Document and destruction records Loss of accountability over classified material and inability to prove certified destruction Medium–High: record integrity and command assurance impaired High: the discrepancy and missing certificate are established facts HIGH
Destruction workflow Repeat failure, audit finding, or temporary suspension of destruction authority Medium–High: recurring non-compliance would affect operational continuity and external confidence High: multiple controls failed in a single workflow and no hard stop prevented completion HIGH
Table 6. Target Residual Risk After Corrective and Preventive Measures.
Table 6. Target Residual Risk After Corrective and Preventive Measures.
Risk Area Principal Controls Applied Expected Likelihood Target Residual Risk
Incomplete destruction of SECRET paper material P-5 or higher shredder; page-count reconciliation; witness co-signature; post-destruction workspace sweep Low LOW
Recoverable data on removable digital media Media-appropriate sanitisation method; verification logs; certificate generation; quarantine of uncertain media Low–Medium LOW–MEDIUM
Missing documentary evidence and audit trail Form DS-07; Form DC-01; device register update; retained machine-generated sanitisation evidence Low LOW
Systemic SOP non-compliance Revised SOP; hard-stop procedural gates; annual training; semi-annual internal audit and annual external audit Medium MEDIUM
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings