Government agencies, corporations, and various institutions are taking measures to improve IT asset management and disposition practices in order to mitigate risk of a data breach, achieve environmental initiatives, and ensure optimal financial performance. The following are some key pieces to building a secure and efficient IT disposal program.
1. Implement and utilize an asset management and inventory system
An asset management program’s success will be driven by the inventory tools and processes in place to track assets from cradle to grave, or in other words from the time of an asset’s implementation until the asset is recycled or liquidated. The inventory management system should be utilized to document when an asset is disposed of, its final destination (vendor and asset status), and what administrator or manager signed off on the disposition.
Having robust asset management data that includes model numbers, serial numbers, and other attributes and specifications of equipment also allows an organization to bid out an asset disposal contract more effectively and for more competitive returns.
2.Track and maintain documentation of disposition and data destruction of assets
Asset management disposition data should be reconciled with the data provided by a firm’s disposal vendor. These inventory reports, settlements, and certifications of destruction and proper handling should be maintained in accessible formats.
The most sophisticated asset disposal programs utilize integration with a disposal vendor’s asset management software in order to confirm and document the disposition of an asset. In the case of a full integration an asset management team can mark an item as shipped or disposed of and track the receiving, processing, sale, or recycling of the asset.
3. Sign a formal agreement with an IT asset disposition vendor or managed service provider
Take the steps to put an agreement in place with an IT asset disposal provider that documents your firm’s due diligence, understanding, and expectations of the vendor and performance milestones of the disposition program.
A standard Master Service Agreement (MSA) should include the following:
- Data security and privacy policies (including process for disclosure of potential exposures)
- Commitment to environmental recycling controls and compliant waste management
- Insurance coverage
- Overview of service levels, process, financial obligations, reporting and billing standards
4. Develop a data destruction process driven by NIST 800-88 Guidelines for Media Sanitization
If you’re unfamiliar with NIST 800-88 you can learn more from this introduction blog entry.
Developing a data destruction program to the best practices outlined by NIST 800-88 will ensure end of life data security as well as develop a process to maintain audit ready documents that are necessary to validate a firm’s data privacy compliance.
A program following the NIST 800-88 method will identify risk, categorize media, select effective eradication methods, set quality assurances, record and certify destruction of assets, and place responsibility of the program’s success on senior managers.
Every organization should be considering the risk of a data breach caused by improper data sanitization and set eradication methods and disposal processes according to data privacy laws and industry specific regulations (e.g. HIPAA for health and human services).
5. Create an accounting mechanism to keep liquidation returns in the IT budget
IT asset managers and acting directors are tasked to quantify value to executive management and IT operations. Efficient liquidation of assets can yield significant returns, and these financial recoveries should not go unnoticed.
IT asset managers should develop accounting mechanisms to track returns from the disposal program as well as to keep the funds in the IT budget. This can be achieved by using a credit system for future product purchases or services instead of receiving direct payments from a disposal vendor. The disposal provider can provide goods and services directly or partner with an OEM or VAR to do so.