Frank Milia

Recent Posts

Hard Drive Disposal Options

Posted by Frank Milia

Jun 2, 2017 12:38:46 PM

Proper handling of end of life computer equipment and electronic media is critical to avoiding costly data breaches and debilitating exposures to your business and client data.  Your options for hard drive disposal should not be limited by archaic security policies, vendor capabilities, or lack of in-house expertise or access to industry leading tools.    

The below is a quick guide to the common tools and methods utilized by sophisticated IT asset disposal providers and IT departments alike. 

harddrivedisposal.jpg

Binary wiping and secure erasure:

Many times referred to as Department of Defense (DoD) three pass erasure, secure erasure writes multiple passes of binary code over a drive’s data to eliminate the path to the data.  The term DoD erasure is an asset disposal industry and IT shorthand and it should be noted that no software or erasure method is specifically endorsed by the DoD.  The method is a commonly accepted software tool for destroying data on magnetic and solid state media.

Having a contracted erasure service or in-house capability to securely erase machines is ideal to reuse machines in your environment, sell machines to a computer liquidator at optimum value, and ship or relocate machines that are not encrypted. 

Enterprise erasure tools should include reporting and verification utilities that allow organizations to save detailed certificates of destruction to the NIST 800-88 standards as well as identify drives that do not wipe to one hundred percent satisfaction.  When drives fail to wipe securely the user can quarantine and use another physical destruction method. 

DoD erasure is a method approved in the NIST 800-88 Guidelines for Media Sanitization in certain situations, but is not recommended for media that has higher risks associated to an exposure or contains top secret data. 

Hard Drive Shredding and Media Pulverization

Hard drive pulverizing or media shredding are terms commonly used for the industrial shredding of electronic media.  Although the equipment can be expensive for many business to own and maintain, many organizations utilize the method with the help of various asset disposal or document shredding service providers.  This method is ideal for quickly and cost effectively destroying large quantities of hard drives, optical media, flash drives, and other electronic storage. 

Hard drive shredding can be performed off-site at a vendor’s facility or on-site utilizing specialty shredding equipment typically deployed by the tier one IT asset disposal providers like IT Asset Management Group. 

Hard Drive Punching

Smaller machinery like hard drive punchers are ideal for eliminating the risk of shipping live and accessible data by first punching the drives before shipping or relocating the drives for the final shredding and recycling process.  Punchers are utilized where the large footprint of a shredder would not be possible or cost effective.  This method is ideal for small quantities of drives and is typically not cost or time effective for the destruction of large quantities of media.

Much like hard drive shredders there are hundreds of different kinds of hard drive punchers and some are not as effective for solid state drives or other types of media.  It is important to research and understand what a specific machine or service provider is able to do on a case by case basis. 

Degaussing Hard Drives

Degaussing hard drives is another solution ideal for smaller projects where an industrial hard drive shredder may not be available in the geographical area or economically appropriate for the project.  Degaussers use powerful magnets to destroy data on hard drives and other media but does not work for solid state hard drives or flash media.

Degausser machines are no longer the prevalent tool that they once were due to the superior output of shredders and more effective verification methods of enterprise erasure software utilities.  Nonetheless, the tool remains active due to security policies that have been written and not updated or where other tools prove to be near impossible to deploy.

For more information on appropriate methods and documentation of data destruction practices please review our short guide to NIST 800-88.

Download 5 Data Destruction Tips

 

more

Topics: IT Asset Disposal, data destruction, eWaste Disposal, Risk Management, hard drive disposal

3 Myths About IT Asset Disposal and Electronics Recycling

Posted by Frank Milia

Sep 18, 2015 3:37:56 PM

Many companies in the electronics recycling and IT asset disposal industry utilize scare tactics and try to focus a buyer’s attention on false narratives to win new clients and increase profitability of contracts.  We believe in transparency and educating our clients.  Here are some facts in response to three common myths being disseminated by disposal service providers. 

IT_disposal_computer_myths_crop

The Myth: Allowing a disposal vendor to reuse or sell your equipment creates additional liability for your organization.  Allowing the third party vendor to sell the equipment will be a problem for your organization since the item can be found in a landfill in the future or can otherwise be utilized inappropriately. 

Some of our competitors use this inaccurate storyline to convince organizations to dispose of valuable equipment at an inflated cost under the premise that the vendor will be destroying the equipment and no asset will be sold as a functioning unit that can be traced back to the original owner.  Whatever the IT asset disposal vendor’s motive is, the idea that all surplus computer and IT equipment must be dismantled and destroyed to remove downstream liability is flawed and environmentally irresponsible. 

The Fact:  With best practice data destruction and chain of custody processes in place selling surplus assets is a secure, environmentally responsible, and an economically practical solution for retired computer equipment.  All organizations should document IT asset disposal work with serialized inventory reports, transfer of ownership statements, bills of sale and link transactions to a formal master service agreement

The IT asset disposal vendor should be utilizing an inventory management system that can track the asset from receipt from client to the sale to end user or downstream partner in order to address any unlikely disputes or exposures that could be inappropriately traced back to the disposing entity.  

Consider other common situations of transferring assets such as selling a car.  Would one expect to be liable after legally selling a car with appropriate documentation to a buyer who then goes on to cause an accident? 

Call Them Out:

If a vendor has made this claim ask him/her to provide proof of a real world example where an organization has faced a fine, legal trouble, bad publicity or any other liability related to the sale of company IT assets.  Ask the vendor to provide any legal documents to support this claim.   

The Myth: Only vendors with this (insert any third party certification here) are doing things right and any other provider will be breaking environmental regulations and putting your organization at risk. 

When a competing vendor has very little to display that will separate their firm from the pack they might inflate the importance of the specific third party certifications they hold and make false claims that these certifications are the end all to your organization’s liability concerns.

The Fact:  There are two prominent certifications (R2, e-Stewards) commonly obtained by ITAD providers and these certifications include requirements to hold ISO 14001 as well as OHSAS health and safety management systems.  Both certifications are very similar, but neither guarantees a vendor will be compliant with your company’s environmental policy or legal regulations.

Doing your own vetting, documenting due diligence, and implementing a formal agreement is as important as your vendor maintaining a third party certification. 

Call Them Out:

If a vendor has made the claim that the certification they hold is superior or a must have certification ask them to prove this with metrics and supporting facts.  We also urge you to do your own research and see that the EPA and the Federal Government's policy, driven by an executive order from the President of the United States of America, values these certifications but does not favor one over the other.    

Myth: If your current provider is paying you for equipment or providing a no cost solution they are breaking environmental regulations and must be dumping the waste illegally either domestically or internationally. 

Many competitors utilize this scare tactic to get valuable equipment from companies and collect inappropriate fees. 

The Fact:

If an IT asset disposal vendor is buying your surplus equipment at a reasonable value it would make no business sense for that vendor to then throw away the stock or illegally export it as waste.  When a vendor pays for equipment your organization is at less of a risk.  In order to sell the surplus equipment the ITAD vendor will have to wipe data, clear networking equipment, re-image, and warranty the equipment as a functioning system to another buyer.

All ITAD providers should be able to provide a pricing model that accounts for the market value of a client’s disposable equipment.  If the equipment does not have value the client should incur a fee for destruction and management services.  If the equipment has some value but only covers the operating costs of the vendor a no cost solution can be appropriate and fair for both parties.  If the equipment’s value significantly exceeds the logistics and operating costs of the disposal vendor a credit or cash back for the equipment is due to the client. 

Call Them Out:

If a vendor makes this claim again ask them to provide a real world example where assets sold to a computer disposal provider at reuse value created a liability, fine, or negative publicity for the organization disposing of the assets.  Ask the vendor why would a company pay for a company’s disposable assets, or even take on the logistics costs of removing the equipment if they could not turn the product back into a profitable sale on the secondary markets. 

Looking for a tool to get the most value back on your company's IT disposals?

Download the ITAMG Inventory Template Today:

Tips & Inventory Template

more

Topics: IT Asset Disposal, eWaste Disposal, Risk Management

5 Tips for Computer Disposal and Data Destruction

Posted by Frank Milia

Aug 17, 2015 10:42:00 AM

At ITAMG we have been advising our clients on the big picture best practices for IT asset management, computer recycling, and secure data erasure. The following are five specific tips to help you make the most of your IT asset disposal program.

Recycle_Logo_Finish

1)     Communicate your needs.  We can help with refresh strategy, relocations, and more. As an IT asset management and disposal vendor we bring a unique perspective and skill set to advising on refresh projects, office and data center moves, and general procurement strategies.

 

Do:

Keep your asset disposal vendor in the loop on any major projects that effect your business operations and IT planning. We are familiar with a wide array of challenges that large organizations face during various projects and are happy to help your firm conquer them all.

Don’t:

Don’t wait to the final hour of a large project to enlist the help of your disposal vendor. The more lead time given to prepare statements of work, an action plan, quote costs and returns, and plan logistics the more likely a project will conclude successfully and within budget.

 

2)     Reset or clear any BIOS and Admin Passwords from laptops in order to assist with data erasure and re-imaging of machines for refurbishment and sale.

 

Do:

Create a depository of admin passwords by model or other machine attributes to share with your computer recycling vendor. At minimum keep a master list of all Admin Passwords. If your firm can’t share Admin Passwords make sure to set to a default password before disposing of the machine.

Don’t:

Do not allow IT or other employees to create and use admin passwords that are not standardized or otherwise recorded for future reference. Don't expect full value for Apple equipment, laptops, or similar devices if admin passwords are not available or can not be reset prior to disposal. 

 

3)     Instruct users to remove returned Apple devices from their iCloud accounts. iCloud is used to track lost or stolen assets and unless a device is removed from a registered account your company or disposal vendor may not be able to legally reuse valuable and desirable assets.

 

Do:

Notify users across your organization that are using personal iCloud accounts on company assets to remove his or her device from the account when turning the asset back in. Create a depository for tracking iCloud user names and passwords for company generated iCloud accounts so devices can be removed from users profiles and sold or otherwise reused.

Don’t:

Don’t allow users to use personal iCloud accounts on company owned assets. Put a policy and process in place for users to use company provided iCloud profiles for company owned Apple devices. Managing the devices this way will allow your firm to control the devices on the user’s account and ensure the assets are reusable or eligible for liquidation returns at retirement.

 

4)     Manage end of life data security appropriately.  Lock up unencrypted media that are threats of exposure until data destruction is performed.

 

Do:

When pulling machines out of the working environment make sure all data containing devices or locked in rooms, cages, or containers that can only be accessible by employees with appropriate security clearance. Label and utilize locked containers to store any loose end of life media.

Don’t:

Don’t store assets or media in conference rooms, hallways, or open office spaces where the general public, building employees, or any other employees or visitors may be able to access them. Do not leave loose media or hard drives sitting in data centers, storage closets, or any other office space.

 

5)     Handle equipment with care during physical consolidation and internal relocation. Liquidation returns on equipment are contingent on the working and cosmetic conditions of surplus computer equipment.

 

Do:

Ask us about the safest way to move all different types of equipment. Moving equipment throughout an office using carts or commercial moving bins is probably your best option. Treat the equipment with the same level of care used during implementation when removing the equipment from the environment.  We are happy to provide tips on how to pack and move equipment efficiently and safely.  

Don’t:

Don’t grab or apply pressure to LCD screens, scratch screens by letting equipment rub together, excessively stack laptops, damage rail kits or face plates on servers, or cut power cords from UPS, power, or any other equipment.   Avoid packaging or dismantling equipment without clear direction from an ITAMG professional. Do not allow a commercial moving vendor to abuse retired equipment simply because it is categorized as excess, waste, retired, salvage or other.

 

Looking for more tips on getting the best value back on your company's responsible computer disposal practices?

Download the ITAMG Inventory Template Today:

Tips & Inventory Template

 

more

Topics: IT Asset Disposal, Computer Liquidation, IT Management, Electronic Waste Management

Performing IT Asset Disposal Vendor Due Diligence (Part 2)

Posted by Frank Milia

Apr 1, 2015 8:38:00 AM

Part 2: Documenting a Site Visit to an IT Asset Disposal Service Provider

In this second installment of best practices for vetting a disposal vendor and documenting a process for electronic waste disposition IT Asset Management Group (ITAMG) is advising organizations to prepare for audits around eWaste recycling, environmental compliance, and data security for end of life media and IT assets by performing and documenting a site visit to the disposal vendor’s facility.

ElectronicsRecyclingFacilityIn the first post ITAMG described the importance of having a Master Service Agreement that covers the critical components of any IT asset disposal program.

It is important to note that the burden of performing due diligence when selecting a vendor and developing a compliant process extends further than signing an agreement with a third party vendor. It is in the stakeholders’ best interest to investigate and document firsthand the capabilities and infrastructure of any vendor handling electronic waste or data destruction projects regardless of the reputation, certifications, or track record the vendor may present.

Performing a site visit will help your organization vet a computer recycling firm by confirming and documenting several attributes and capabilities of the vendor. Consider you may be looking to confirm something as basic as the recycling vendor is operating inside a building with four walls and an enclosed roof (which is not surprisingly a requirement for many 3rd party certifications) all the way to more complex receiving, audit, and technology driven capabilities of the vendor such as the inventory tracking system, data wiping, and refurbishing capabilities of the firm.

Key attributes of the recycling facility and process to document:

  • Access controls and security of building, technical areas and warehousing
  • How and where shipments are received
  • Tracking process for loads and assets from receiving to shipping (recycle or final sale)
  • Process, tools, and infrastructure used to wipe and physically shred or destroy hard drives and other electronic storage devices
  • Inventory management system capabilities and equipment audit process
  • Inspection for general health and human safety conditions
  • Dismantling, refurbishing, technical, and packaging capabilities of the site

During your visit to the electronics waste recycling or IT Asset Disposition vendor’s facility take careful notes on the vendor’s process, infrastructure, tools, software, and volume of equipment in processing and assets in warehousing.

Ask questions to determine if the amount of assets your firm will be generating for disposal is in the scope of what the operation can handle. Use your best judgment to determine the capability of the vendor to service your needs in a timely manner.

Some vendors may have issues with photos being taken in certain places, but where allowed take as many photos as you can and use these photos to document your visit, the process, and capabilities of your selected vendor.

A documented site visit is a powerful display of performing due diligence and to mitigate liability of an unlikely breach or exposure that could occur from an improper computer disposal.Once you have performed and documented your disposal vendor site audit, consider setting a reoccurring meeting to go over any major process or facility changes that may occur over time.

In the coming weeks we will be following this post with more on how to document your due diligence in sourcing downstream waste handlers, maintaining a secure data destruction program, and other important asset management, certification of destruction, and financial considerations to account for. 

 

Download the ITAMG Inventory Template Today to Get The Best Value For Your Company's Responsible Recycling:

Tips & Inventory Template  

more

Topics: IT Asset Disposal, Electronic Waste Management, Risk Management

Performing IT Asset Disposal Vendor Due Diligence

Posted by Frank Milia

Mar 10, 2015 12:58:00 PM

Part 1: Instituting a Master Service Agreement

IT Asset Management Group (ITAMG) will be publishing multiple blog posts to prepare organizations for audits around computer equipment disposal, environmental compliance, and data security for end of life media and storage assets.

AUDITSmaller

On this first series of posts we will be focused on advising organizations on how to develop a packet of documents that will provide auditors a clear explanation of the asset disposal process, the roles of the key stakeholders involved, and the responsibilities of internal and third party providers.

Your organization likely has an asset management system, decommissioning process, disposal vendor, and record keeping mechanism in place. It is important that these processes and responsibilities are documented in writing, responsibilities are understood across the organization, key stakeholders sign off on the process, and the information is archived and available when needed.

Having a Master Service Agreement (MSA) with a third party disposal provider is a critical aspect of being able to display the due diligence performed when selecting the IT asset disposal vendor being utilized. A MSA is a contract between two parties that will govern the future transactions between the parties.  

 

At minimum a MSA should cover in detail the following aspects of a disposal program:

  • Vendor Insurance Coverage
  • Environmental Practices- Standard / Certifications for eWaste Recycling
  • Data Security- Data Destruction Standards and Approved Methods
  • Data Privacy- Confidentiality Policy Including Commitment to Disclose Breach or Threat of Breach
  • Overview of Service, Processes, Financial Obligations, Asset Reporting, and Billing Standards

 

The MSA allows an organization and third party vendor to maintain a clear understanding of what is expected for all service delivery. The vendor can than provide statements of work or quotes in order to accomplish the goals of specific disposal and decommissioning projects.

If you have a MSA in place with a disposal vendor make sure to update the document as standards, policies, and industry regulations change. Having this agreement in place is an excellent beginning to documenting an organization’s disposal program. However, having a MSA is only one piece of the packet you need to build for a potential audit.

In the coming weeks we will be following this post with more on how to document your due diligence in sourcing downstream waste handlers, maintaining a secure data destruction program, and other important asset management, certification of destruction, and financial considerations to account for.

 

Request a MSA Consultation

more
   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

Responsible Recycling logo

Recent Posts

Visit our Main Site at: www.itamg.com