Frank Milia

Recent Posts

Performing IT Asset Disposal Vendor Due Diligence (Part 2)

Posted by Frank Milia

Apr 1, 2015 8:38:00 AM

Part 2: Documenting a Site Visit to an IT Asset Disposal Service Provider

In this second installment of best practices for vetting a disposal vendor and documenting a process for electronic waste disposition IT Asset Management Group (ITAMG) is advising organizations to prepare for audits around eWaste recycling, environmental compliance, and data security for end of life media and IT assets by performing and documenting a site visit to the disposal vendor’s facility.

ElectronicsRecyclingFacilityIn the first post ITAMG described the importance of having a Master Service Agreement that covers the critical components of any IT asset disposal program.

It is important to note that the burden of performing due diligence when selecting a vendor and developing a compliant process extends further than signing an agreement with a third party vendor. It is in the stakeholders’ best interest to investigate and document firsthand the capabilities and infrastructure of any vendor handling electronic waste or data destruction projects regardless of the reputation, certifications, or track record the vendor may present.

Performing a site visit will help your organization vet a computer recycling firm by confirming and documenting several attributes and capabilities of the vendor. Consider you may be looking to confirm something as basic as the recycling vendor is operating inside a building with four walls and an enclosed roof (which is not surprisingly a requirement for many 3rd party certifications) all the way to more complex receiving, audit, and technology driven capabilities of the vendor such as the inventory tracking system, data wiping, and refurbishing capabilities of the firm.

Key attributes of the recycling facility and process to document:

  • Access controls and security of building, technical areas and warehousing
  • How and where shipments are received
  • Tracking process for loads and assets from receiving to shipping (recycle or final sale)
  • Process, tools, and infrastructure used to wipe and physically shred or destroy hard drives and other electronic storage devices
  • Inventory management system capabilities and equipment audit process
  • Inspection for general health and human safety conditions
  • Dismantling, refurbishing, technical, and packaging capabilities of the site

During your visit to the electronics waste recycling or IT Asset Disposition vendor’s facility take careful notes on the vendor’s process, infrastructure, tools, software, and volume of equipment in processing and assets in warehousing.

Ask questions to determine if the amount of assets your firm will be generating for disposal is in the scope of what the operation can handle. Use your best judgment to determine the capability of the vendor to service your needs in a timely manner.

Some vendors may have issues with photos being taken in certain places, but where allowed take as many photos as you can and use these photos to document your visit, the process, and capabilities of your selected vendor.

A documented site visit is a powerful display of performing due diligence and to mitigate liability of an unlikely breach or exposure that could occur from an improper computer disposal.Once you have performed and documented your disposal vendor site audit, consider setting a reoccurring meeting to go over any major process or facility changes that may occur over time.

In the coming weeks we will be following this post with more on how to document your due diligence in sourcing downstream waste handlers, maintaining a secure data destruction program, and other important asset management, certification of destruction, and financial considerations to account for. 

 

Download the ITAMG Inventory Template Today to Get The Best Value For Your Company's Responsible Recycling:

Tips & Inventory Template  

more

Topics: IT Asset Disposal, Electronic Waste Management, Risk Management

Performing IT Asset Disposal Vendor Due Diligence

Posted by Frank Milia

Mar 10, 2015 12:58:00 PM

Part 1: Instituting a Master Service Agreement

IT Asset Management Group (ITAMG) will be publishing multiple blog posts to prepare organizations for audits around computer equipment disposal, environmental compliance, and data security for end of life media and storage assets.

AUDITSmaller

On this first series of posts we will be focused on advising organizations on how to develop a packet of documents that will provide auditors a clear explanation of the asset disposal process, the roles of the key stakeholders involved, and the responsibilities of internal and third party providers.

Your organization likely has an asset management system, decommissioning process, disposal vendor, and record keeping mechanism in place. It is important that these processes and responsibilities are documented in writing, responsibilities are understood across the organization, key stakeholders sign off on the process, and the information is archived and available when needed.

Having a Master Service Agreement (MSA) with a third party disposal provider is a critical aspect of being able to display the due diligence performed when selecting the IT asset disposal vendor being utilized. A MSA is a contract between two parties that will govern the future transactions between the parties.  

 

At minimum a MSA should cover in detail the following aspects of a disposal program:

  • Vendor Insurance Coverage
  • Environmental Practices- Standard / Certifications for eWaste Recycling
  • Data Security- Data Destruction Standards and Approved Methods
  • Data Privacy- Confidentiality Policy Including Commitment to Disclose Breach or Threat of Breach
  • Overview of Service, Processes, Financial Obligations, Asset Reporting, and Billing Standards

 

The MSA allows an organization and third party vendor to maintain a clear understanding of what is expected for all service delivery. The vendor can than provide statements of work or quotes in order to accomplish the goals of specific disposal and decommissioning projects.

If you have a MSA in place with a disposal vendor make sure to update the document as standards, policies, and industry regulations change. Having this agreement in place is an excellent beginning to documenting an organization’s disposal program. However, having a MSA is only one piece of the packet you need to build for a potential audit.

In the coming weeks we will be following this post with more on how to document your due diligence in sourcing downstream waste handlers, maintaining a secure data destruction program, and other important asset management, certification of destruction, and financial considerations to account for.

 

Request a MSA Consultation

more

Hard Drive Shredding New York Style

Posted by Frank Milia

Jan 13, 2015 8:55:00 AM

ITAMG regularly provides IT disposal and data destruction services to our clients with offices and data centers in New York City. Recently we have had a lot of new clients ask us how it’s even possible for us to provide onsite hard drive shredding services in the chaotic New York environment. This post provides a quick explanation of how we manage obstacles and securely destroy electronic media in one of America’s most bustling cities.

Hard Drive Shredding NY

Parking in New York City can be a nightmare. The industrial shredding equipment used to shred hard drives weighs thousands of pounds and is mounted on a large box truck (similar to paper shredding trucks you may be more familiar with). Most loading docks in New York City are extremely busy and located indoors, so idling and shredding drives at a dock is not an option due to congestion as well as health and safety concerns.

In order to get the work done curbside our crew will first scan and capture the serial numbers of the drives and then place the media into a locked container while still inside the client’s space. They then transport the locked containers, which are on wheels, down to the mobile shredding truck.

When there are no available parking spaces in the area we may be required to park several blocks from the client’s location. Although the client may be forced to get some unexpected exercise by taking a walk to the truck, he or she is able to follow the media at all times, and no media is left unattended.

To combat parking restrictions we always staff at least three crew members in New York City. All hard drive shredding projects in New York are staffed with a driver and a minimum of two technicians. With this strategy the truck can remain in a standing zone nearby while the other two crew members audit and prepare the drives for destruction.

When the technicians are done processing and auditing the drives the truck is called in to collect the container and the drives are destroyed at the nearest possible location. This staffing practice accounts for a potential emergency or required break and allows for a crew member to always remain available to guard the media prior to its destruction.   

Everything, especially time, in New York is expensive. In order to reduce service costs our shredding trucks are also equipped to collect electronic waste and surplus computer equipment that is being liquidated.  In addition to the shredded media remains there is space to remove upwards of three hundred desktops at a single service.

We are able to reduce shipping and logistics costs for projects that require both on-site media destruction and IT asset disposal services by performing both services at the same time.      

ITAMG has been working in New York City with our own crews since 1999. If you are already a New York hard drive shredding client please reach out to your account manager and let us know how we are doing.      

 

Interested in Data Destruction Best Practices?  Download our quick guide to NIST 800-88 Guidelines for Media Sanitzation below.

5 Data Destruction Tips

more

Topics: data security, data destruction, hard drive shredding, data sanitization, Hard Drive Shredding NY

IT Asset Disposal and Data Destruction Program Management

Posted by Frank Milia

Dec 10, 2014 9:50:00 AM

Since 1999 our primary business at IT Asset Management Group has been focused on developing and implementing the process, controls, and oversights necessary to run a compliant, secure, and economically viable IT asset disposition program.  We are now drawing upon our unique experience and capabilities to provide consulting, program management, and project management services for data destruction, environmental, asset management, and return management initiatives. 

Laptop Liquidation Program

ITAMG’s disposition programs are designed to bridge the gap and achieve the goals of various stakeholders including Finance, IT, Facilities, and Procurement departments.   

A broad approach to an asset disposal program is as follows:

  • Develop and furnish the initial operational, financial and technical assessments relating to an asset disposition program.
  • Recommend alternative operational processes and organizational solutions.
  • Provide budgetary cost and income estimates for the alternative approaches
  • Develop a Statement of Work for the program or project.
  • Assist with evaluation, selection and contracting, including the execution of Service Level Agreements.
  • Provide implementation and acceptance testing project management.
  • Include on-going program support as defined by client. Including delivery management, SLA monitoring and documentation of the financial returns.
  • Ensure Quality Control and Risk Management.

 

ITAMG’s asset disposal program management services are best suited for the Fortune 500, large government agencies, IT value added resellers, and other institutions with a significant IT hardware portfolio that requires the liquidation of at least one million dollars of surplus IT equipment in a single fiscal year. 

However, we do engage smaller mid-market clients to consult on and improve IT asset disposal and data destruction practices as well as to provide our direct IT asset recovery and hard drive shredding services.    

 

Request a Program Management Consultation

more

Topics: IT End of Life Strategy, data destruction, Computer Liquidation, NIST 800-88, IT Asset Disposal NY

Networking Device Erasure and Data Destruction

Posted by Frank Milia

Sep 26, 2014 8:30:00 AM

Storage devices and electronic media are not the only devices that require erasure and data destruction service levels in order to eliminate risks of causing a breach from an equipment disposition. Networking devices, routers, and switches hold sensitive information that in the wrong hands can be used to find entry to or otherwise compromise a network’s security.

The good news is that the major manufacturers have built in acceptable erasure methods into various networking devices and the process is easy to navigate.

At IT Asset Management Group we utilize the best methods of clearing a device depending on the manufacturer’s instructions and tools available. If a device cannot be reset to factory default, configuration cleared, NVRAM erased, VLAN cleared or any other information fails to erase with 100% certainty the device is quarantined and then physically destroyed.

The exact method of erasing networking devices will be specific to the manufacturer and model of the hardware but the following is broad overview of the process.Networking_DevicesMethods for Networking Device Erasure 

  1. Switches - Clear all configuration files including startup and running configuration files. Erase the NVRAM file system and removal of all files. Reload the switch to factory default. Clear all VLAN information created on switch. Confirm device has been cleared.
  2. Routers - Reset password and device to factory default.   Using Register Configuration write erase and set device back to factory default. Confirm device has been cleared.  

A sample of the type of manufacturer provided instructions used by ITAMG can be found below.

Common Switch: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/24328-156.html

Common Router: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-123-mainline/46509-factory-default.html

Networking Device Destruction

Any device that cannot be reset and confirmed to no longer contain any user created configurations or data should be physically dismantled, shredded, and recycled for commodity material in accordance with all local, state, and federal laws. ITAMG’s data destruction services are developed in accordance with the DoD 5220.22-M standards and NIST 800-88 Guidelines for Media Sanitization.

Looking for more information on running a secure data destruction program? 

Download 5 Data Destruction Tips

more

Topics: data security, data destruction, data breach, education & tips, data sanitization

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com