David Spark (@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO, Restaurant Brands International (RBI), and sponsored guest, Frank Milia, partner, IT Asset Management Group recently did a deep dive into data destruction on the Defense in Depth podcast: Data Destruction.   

The conversation was thought provoking, but we really just scratched the surface over a twenty five minute discussion.  Check it out below and feel free to connect with us to further the conversation.  

You can listen to the podcast here:https://cisoseries.com/defense-in-depth-data-destruction/

-or-

on your favorite app like Spotify or Apple Podcasts  

Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties.  Is it clear who is responsible for the performance of your data disposition practice?   IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners.      

Download the program guide today at itamg.com/CISO

We here at IT Asset Management Group (ITAMG) regularly come across regional organizations such as universities, hospitals, media companies and local banks that are engaged with disposal providers that ship their retired IT equipment several hundred or even a thousand miles away to be processed.

Regional businesses and generators can drastically lower their costs and carbon footprint by switching to local, certified, and qualified IT asset disposal providers. National and global enterprises have a more complicated challenge to reducing ITAD related emissions than their regional counterparts (a longer post for another day).

Due to this, I would argue regional organizations have an even higher environmental and social obligation to source local vendors and significantly outperform the environmental impact of their peers that have global footprints.

Local providers will also likely manage and operate in-house trucking, technicians and moving teams that will be typically perform better and be held more accountable for performance at the client site than providers that exclusively rely on third party transportation resources.

By using local trucking companies you also reduce the risk of a breech event or exposure related to third party transport of the material.     

Simply put, choosing local is good for our environment, improved performance of the disposal program, and is better for your bottom line.

If your firm is a regional organization (or otherwise) please consider reviewing your program to see if lowering carbon footprint through sourcing local vendors is an option available to you.  

Are you evaluating IT asset disposition providers?  Please use the following link to let us know how we can specifically help you: 

As a NAID Certified Secure Destruction Specialist my goal is to offer information security and compliance professionals objective advice backed by experience, industry best practices and a keen knowledge of the applicable regulatory requirements. 

When working with organizations of all sizes one of my consistent challenges is getting various stakeholders to openly and honestly evaluate their data destruction and disposition program to identify blind spots and allow me the opportunity to identify areas for improvement and risk mitigation. 

Below are some of my questions to open up a conversation with folks who are willing to perform a self-evaluation and begin the process of assessing their data disposition practice.

1. Do we have a contract in place with our current downstream data disposition providers?
   a. Does this contract include breach notification requirements?
   b. Does this contract include definitions of data protection service levels and data destruction deliverables?
2. Do we use multiple downstream data disposition providers (example: e-Waste goes to a recycler but media goes to a document destruction company)?
   a. If so, how do we control what vendor is liable if a breach occurs? 
3. Have we formally vetted our downstream data disposition providers?
   a. Have we evaluated and vetted third party certification(s) that our provider holds?
   b. Have we documented our vendor’s policies, procedures, downstream charts, and third party certificates?
   c. Are we annually checking in on updates from vendor for policies, procedures, downstream charts and third party certificates?
4. Do we have written policies and procedures for our data protection program?

a. If we perform data destruction internally are the processes formally documented including confirmation of results?
b. Do we have an assigned person in charge of compliance?
c. Do we have formal training for employees and documentation of such training?
d. Do we have employee acknowledgement in writing for acceptance of data security responsibilities?

I urge everyone to ask these questions and evaluate the answers that come back.  

Once these answers are provided, we can provide suggestions to ensure better security or regulatory compliance.  If the answers all seem satisfactory, there is always an opportunity to dig deeper to find where other improvements can be made and to make sure the organization is documenting the program's success effectively.

Data security and data protection compliance is a moving target.  Evaluation and audit of your data disposition program should be on a regular schedule, including at minimum an annual review of any of your contractors or internal operators.

Last week Arrow Electronics Inc. announced that it would be shutting the doors on its IT asset disposition service business leaving the industry dumbfounded and thousands of customers concerned with how to proceed with their day to day disposal requirements.   

Although Arrow has claimed the USA operations will remain active until end of the year, we have received several reports from Arrow’s customers that they will no longer receive disposed of assets shortly after this month. 

If you are a current customer of Arrow or otherwise depend on a single service provider for your global asset disposition services there are some lessons to take away from this as you look to source your next provider. 

The Largest vendors don’t necessarily offer more stability or security. 

Many businesses signed on with Arrow because they liked the security of working with a fellow Fortune 500 company.  Arrow actively sold these businesses a narrative that they were a more stable option than the smaller boutique providers since they had the capital and infrastructure necessary of supporting the largest customers.  Ironically in the end Arrow’s decision to end the ITAD service line is at least partly because they are such a large public company and had the need to cut out expenses from a small business unit to avoid having to repeatedly publish poor earnings reports. 

I do not agree with Arrow’s claim that they are leaving the ITAD space because it is not a sustainable business model.  There are plenty of healthy and capable ITAD providers that offer this service has their exclusive business model.  For instance, my firm IT Asset Management Group has been operating in the space for almost 20 years and we forecast continued year over year growth. 

It is important to at least consider setting up a multi-vendor option for disposition and data destruction services.

As an IT asset disposition provider I’m happy to hear our customers want us as a single provider for their disposal and data destruction needs.  However, I suggest to all of the largest customers, especially those with a significant global foot print, to consider having multiple vendors to properly cover their needs. 

Arrow is dropping out with very little notice and many customers are concerned about establishing new vendors under deadlines that large organizations worry they will struggle to meet.  By vetting and properly contracting multiple vendors to cover your disposition and disposal needs you will protect your company from your vendor leaving the market or otherwise under performing to a degree that would require a switch in providers. 

Over the years we have worked with many customers that have a huge footprint in the USA and want us to cover their much smaller footprint globally.  The most successful of these customers have leveraged our company to receive lower cost services and more competitive asset recovery value returns on their larger sites in the USA and relied on a network of regional partners to cover their smaller global offices.  For many of our clients we do also manage the international disposal network via our own substantial team of capable partners.   

The customers that have been able to remain more flexible with their approach, not only financially perform better, but are also better setup with redundancies and have avoided the stress that so many others are feeling from Arrow’s sudden announcement to quit ITAD. 

Has Arrow's closure of their IT disposal services business left you concerned with how to manage secure disposition of retired assets and media?

Our senior leadership team is offering free consultations and review of your disposition programs.

Let's have a discussion and put your mind at ease: