By Phara E. McLachlan, Animus Solutions, Inc.
ITAK Volume 6 Issue 6: Documentation Management and Asset Identification
IT asset disposal unfortunately isn’t a process given enough consideration in the grand scheme of asset management. Because of this oversight, organizations are leaving themselves vulnerable to compliance and security risks, simply because of a lack of policy, process and procedures of software and hardware end of life. Disposal doesn’t mean just tossing your old equipment in the garbage when the new comes in; in fact, it’s much more complex, and much more important. IT Asset disposal is as important a piece of the ITAM puzzle as any other – with a proper program reducing the organizations technology stack, risk to security breaches and regulatory non-compliance.
IT Asset Disposal Options
There are several options for proper IT asset disposal. To make the right decision, we suggest creating a task force or project management team to discuss your goals for the program – do you want to save money? Do you want to bring money back into the organization? Are you looking to reduce your technology stack to eliminate redundancies? Should you consider the environment?
Re-Sell: For organizations looking to bring money back into the organization and get something out of their used IT equipment, selling them to other organizations that can get use out of them is a great option. Your junk could be someone else’s treasure! Many organizations will also sell used equipment to employees, which is a benefit to both the company and the employee. You could also donate old equipment and receive a tax write-off, as well as some good will towards the company.
Reuse/Recycle: Many organizations will reuse their equipment – for example – shuffle it to another department that doesn’t rely as heavily on that item (i.e. a slower running desktop for a receptionist instead of the IT department). Others will recycle any or all parts of the machines that they can. This is good for the environment, not to mention the CSR image.
Remarketing: Whether you choose to refurbish and re-sell your IT assets yourself or use a partner to do so, remarketing is a good way to get a return on your investment. Remarketing is based on a quality refurbishment process with added value procedures integrated into them. The process provides a much higher financial return to clients than wholesale returns. Obviously, you will never get the full value of your IT assets back, but re-marketing will get the organization some of their money back.
To Outsource or Not to Outsource
Many organizations will choose to outsource their IT asset disposal needs by choosing a partner to take care of either all portions of the process or some, for example, a partner that will be responsible for data cleansing or even just hardware recycling. Whether you choose to do this in-house or outsource, be sure that due diligence is performed on local and national regulations for asset disposal. There are guidelines, both regulatory and environmental, that need to be followed. Be sure that your outsourcing partner has a solid track record with governing bodies and is well aware of those regulations that pertain specifically to the location and industry your organization operates in. For example, healthcare companies that must comply with HIPAA must be cognizant of these privacy restrictions when disposing of data.
Here are some basic questions to ask of your vendor:
- What information security management practices and technology do they employ? Their level of investment and attention to their own security needs is often indicative of their handling of other’s information.
- What type of insurance or bonding does the vendor carry to cover data leaks?
- What asset management system does the vendor use to effectively track and report on the disposition of equipment?
- What technology does the company use to electronically wipe or physically destroy equipment? Where does this technology exist and what steps must the equipment go through before it is destroyed?
- Can destruction of personal assets be witnessed?
- What happens to the destroyed assets after the vendor completes its work?
Every day there is a story in the news about data security, the importance of safeguarding our data and the negative outcomes of security breaches. With the advancement of cloud computing and its increased use, this discussion is often about data security and whether data is really safe in the cloud. Not only do we have to focus on where to store data, implementation security and its use, but data needs to be secured during the disposal process as well. Believe it or not, data is often left on old IT assets even after they have been “wiped” clean – leaving valuable data to the next user of that device. Just because hardware is dismantled doesn’t mean that data is completely erased. Also, deleting files is not enough; they must be properly disposed of. Whether data disposal is through an outsourcing partner, or done in-house, it must be handled with the upmost care. Like any IT program or implementation, there are several options for disposal and each will depend on the individual organization and its goals. Organizations who have remote employees face additional data security issues as they have employees accessing the network from outside of the office – remote data erasure does not always work – therefore, data must be wiped from every location, not just the office server room, but individual devices as well. When an outsourcing partner is destroying data, be sure to verify that the information is 100% destroyed – leaving no loose ends.
Flawed Policy, Processes and Procedures
Even with the best partner to destroy data and all regulations being followed, without the proper policy, processes and procedures in place to circumvent a problem – the asset disposal program is incomplete. All employees, in addition to the IT team, need to be aware of the proper procedures for accessing the network, deleting files, and what to do when their IT equipment has reached the end of its lifecycle and needs to be retired. The best way to determine which steps need to be taken to develop or improve IT Asset Disposal Policies is to perform a risk assessment to understand the organization’s unique data security needs. Where are the gaps in your security? Where are your vulnerable areas? Is it when employees are misusing IT equipment outside of the office? Perhaps they are taking it upon themselves to dispose of IT equipment. Each of these vulnerabilities needs to be examined and each scenario considered in developing policies, processes and procedures that stop a problem from happening before it happens. Be sure to communicate efficiently with employees the proper process that must be taken should they like to retire an asset they possess.
An IT asset disposal program is always part of an overall IT Asset Management strategy and should be included in this effort in order for the organization to get the most return on their IT investments. My advice on every issue involving IT Asset Management is to always go back to your policies, processes and procedures – without them, you will not be able to truly save money, make money, and stay out of jail!