ISRG prohibits any media that contains or has contained sensitive data from leaving organizational control in such a state that it may still be operational, or contain recoverable data. Such media may include printed documents or digital storage devices. When media that has contained sensitive information reaches its end of life, the media is physically destroyed such that recovery is reasonably believed to be impossible.
I saw a very interesting vendor demonstration several years ago. Because of reconstruction software it is usually not enough to shred a document. Usually you want to burn it after shredding.
Which leads to the question, if shredded documents can be reconstructed and sensitive material does not leave the organization, then does Let's Encrypt burn its sensitive trash? Or is a different control used? Or is the risk accepted?
Not to mention, there’s shredding, and then there’s shredding. NSA says shredding to no larger than 5 mm^2 is good enough for classified information, but that’s pretty small (and a pretty expensive shredder).
We are aware that normal shredding is not enough to entirely prevent reconstruction of a document. If we felt it was necessary to make sure it was not possible to recover a document we would probably do something more extreme than shredding. Maybe burn it, I don’t know.
That said, we have never (to my knowledge) burned a document, and I doubt we will.
We don’t use paper very often, and when we do it’s generally not sensitive at the time of destruction. We use it for some types of audit logs, but those contain things like lists of dates, times, personnel, and tamper-evident bag serials. They’re important chain of custody records that we don’t want to lose, but they’re not very sensitive and we generally don’t get rid of them. In some cases, with specific threat models, passwords are written down on paper and stored under strict security protocols, but we would never let that paper leave custody without changing the password in question. Once a password is changed, the old password is no longer sensitive information. We’d still shred it out of an abundance of caution, but that’s not really necessary.