IT asset disposition (ITAD) is the practice, method and means of disposing of IT hardware. The legal and compliance demands companies face mean that the data held on computers, devices and other physical assets can become a liability without an audited process in place.
With new methods for data protection becoming increasingly crucial for business owners, organisations need to ensure their chosen ITAD service provider will remove that data and dispose of end-of-life IT assets safely and securely. Yet, only recently have businesses started to recognise the need to securely remove data from any IT asset when it is collected for disposal. Recent European and US legislation, including the General Data Protection Regulation (GDPR), has driven this need.
Those responsible for data within an organisation are already aware of a data breach’s financial, legal, and reputational impact. Steve Hollingsworth, Director, Covenco explores six ways how every organisation that collects, stores and processes data must always secure it, including when it is time to dispose of hardware and data-bearing assets…
1. Confirm that data destruction is effectively carried out
When undertaken correctly, ITAD data destruction procedures are 99.999 percent effective, a percentage acceptable even for the U.S. Department of Defence, the German Federal Office for Information Security (BSI) and the UK HMG Infosec Standard No. 5.
An organisation can sanitise its own data using software – or even destroy it with physical destruction methods. However, most organisations opt to use third-party ITAD services because these include a full and proper audit trail and recognised data destruction standards – and avoid the time and resources needed to conduct data destruction on multiple devices.
In addition, an organisation fully accredited with the requisite systems in place will be able to sanitise all types of data-bearing media, from spinning disks to solid-state drives.
2. Review your asset security during transit
The theft of electronics in transit is a major crime factor in 2023. Since 2012, the theft of electronic goods in cargo has risen by 22%, with an estimated per-theft value of over $400,000 (excluding the value of data held on the stolen devices). Key steps below are crucial when reviewing businesses assets during transit:
- Secure collection
- Secure customer delivery
- Transfer of Custody
- Record Keeping
- Processing Time
3. Verify asset tracking and facility surveillance
While it’s essential to ensure the secure transportation of IT assets, the obligation to secure all IT assets continues within the ITAD facility. These should include the secure tracking of IT assets while they are processed. Additionally, selecting a third party company that applies thorough asset tracking through serial number capture, scanned barcodes and sophisticated internal reporting systems will allow a business to understand where its assets are in the process and track them for internal audit.
4. Applying appropriate standards to your IT asset disposition
Companies that operate within ISO/IEC 27001 are proven and required to apply best practices for managing the security of data assets such as financial information, intellectual property, employee details, clinical and research data and more, which are vital for ITAD.
5. Understanding the reuse and resale of IT assets
This is where asset ‘disposition’ takes priority over ‘disposal’. In many cases, a customer’s assets may have a resale value. As such, the companies third party supplier can offer a fair market price to buy these assets after their data has been completely sanitised within ADISA and ISO27001 standards.
6. Destruction and recycling of end-of-life assets
If all data has been destroyed and an IT asset no longer holds resale value, end-of-life disposition would be the next step. Understanding the final processing of end-of-life IT assets is essential because if done irresponsibly, a business and company directors could be liable for the repercussions.
Some parts of the developing world have used illegitimate recyclers to dump old e-waste. If the equipment ended up in a third-world country, someone could pull the asset tags and determine the business was a company contributing to the toxic environment and wrongful disposition of e-waste.
So, when an asset reaches the end of its useful life, it is vital that the businesses’ partner follows a process that securely destroys it beyond recovery and can provide certificates of destruction and recycling, which can be helpful for compliance or security documentation and any reporting or recognition for the businesses environmental efforts.
Conclusion
Choosing an ITAD partner requires careful research and due diligence. The company’s data security is at risk, as is the reputation of the business.
Using a reliable third party that provides the necessary chain-of-custody control, data destruction options, compliant recycling, detailed reporting, downstream audit control, and solid remarketing returns demanded by diligent customers, is vital for both company and customer satisfaction.
Additionally, partnering with a company who is qualified in ADISA and ISO 27001 accreditations, provide customers with complete peace of mind by delivering comprehensive audit-ready compliance and reporting at a forensic level.
By selecting an honest and dependable third party as a chosen ITAD partner, companies can rapidly improve the security and control of the data it manages while generating an additional revenue stream for its IT department.