National Defence is overhauling its policy on how it sweeps, sanitizes and destroys Canada’s cache of top-secret and sensitive military information after an internal audit revealed major gaps that could jeopardize national security.

The comprehensive revamp comes after a chief review services audit found the procedures to cleanse information management and information technology assets are "outdated."

"Some departmental security orders are over five years old ... many of the department's security policies date back to 1998 and still reference technologies that haven't been commonly used in over a decade, such as 5-inch floppy discs," the report reads.

Earns SanDisk

The Department of National Defence is drafting a department security plan after an audit found serious gaps in the way it handles the sanitization and destruction of top-secret information and data. (Mark Lennihan/Associated Press)

The heavily censored report — which was completed in December 2012 but only recently released publicly — looks at governance, internal controls and risk management associated with the military’s sanitization and destruction activities, including paper copies of personal files, classified reports, compact discs and video.

It also exposed gaps in training, flagged inaccurate and unreliable inventory listings and found non-standardized destruction practices across the country.

For example, some department locations use disintegrators and industrial shredders while others use explosion expert teams to destroy hard drives with explosives.

The audit also found there were no time restrictions on the destruction of assets — and that in some cases, hard drives had been stockpiled for up to two years awaiting destruction.

There were also sloppy practices when it comes to informing stakeholders of changes and updates. The audit included references to a bulk classified waste destruction process at an industrial paper destruction centre, though it is unclear why because most of that assessment was blacked out.

Warnings over sensitive information

The audit warns that information technology and information management assets must be properly sanitized or destroyed at the end of their life to prevent "unauthorized parties" from retrieving, creating and using classified information.

"Technology is available that allows information to be recovered from electronic storage devices if they are not correctly sanitized or destroyed," the report reads. "Software ranging from sophisticated programs to simple freeware can be used to recapture improperly sanitized or disposed data. Digital recognition software is also available to piece together IM material that has not been shredded finely enough."

The department's extensive review in response to the audit will develop ways to upgrade, integrate and align policy with government-wide practices.

"One of the end results will be the development of a robust and comprehensive departmental security plan. This is a significant undertaking, as DND has numerous security policies and procedures that are being revised and standardized across the department," DND spokeswoman Linda Vena said.

The results will lead to a new departmental security plan scheduled to be completed by March 2015.

Vena said the report was heavily redacted in order to protect national security.

"The department must be vigilant against potential threats to the department and when possible vulnerabilities are known, it is the department's due diligence to properly safeguard the information to ensure it cannot be exploited," she said.

"Divulging information on how IT assets are destroyed or sanitized — particularly those used to process secret and top secret material — could provide insight on how to recover information from those assets. That would be a clear danger to national security.”

It took one year for the report to be made public because of the comprehensive review process to ensure the "integrity" of the review and reporting process, as well as to ensure operational security concerns and to ensure that redactions to the document were in accordance with the Access to Information and Privacy Act, Vena said.