Performing IT Asset Disposal Vendor Due Diligence

Part 1: Instituting a Master Service Agreement

IT Asset Management Group (ITAMG) will be publishing multiple blog posts to prepare organizations for audits around computer equipment disposal, environmental compliance, and data security for end of life media and storage assets.


On this first series of posts we will be focused on advising organizations on how to develop a packet of documents that will provide auditors a clear explanation of the asset disposal process, the roles of the key stakeholders involved, and the responsibilities of internal and third party providers.

Your organization likely has an asset management system, decommissioning process, disposal vendor, and record keeping mechanism in place. It is important that these processes and responsibilities are documented in writing, responsibilities are understood across the organization, key stakeholders sign off on the process, and the information is archived and available when needed.

Having a Master Service Agreement (MSA) with a third party disposal provider is a critical aspect of being able to display the due diligence performed when selecting the IT asset disposal vendor being utilized. A MSA is a contract between two parties that will govern the future transactions between the parties.

At minimum a MSA should cover in detail the following aspects of a disposal program:

  • Vendor Insurance Coverage
  • Environmental Practices- Standard / Certifications for eWaste Recycling
  • Data Security- Data Destruction Standards and Approved Methods
  • Data Privacy- Confidentiality Policy Including Commitment to Disclose Breach or Threat of Breach
  • Overview of Service, Processes, Financial Obligations, Asset Reporting, and Billing Standards

The MSA allows an organization and third party vendor to maintain a clear understanding of what is expected for all service delivery. The vendor can than provide statements of work or quotes in order to accomplish the goals of specific disposal and decommissioning projects.

If you have a MSA in place with a disposal vendor make sure to update the document as standards, policies, and industry regulations change. Having this agreement in place is an excellent beginning to documenting an organization’s disposal program. However, having a MSA is only one piece of the packet you need to build for a potential audit.

In the coming weeks we will be following this post with more on how to document your due diligence in sourcing downstream waste handlers, maintaining a secure data destruction program, and other important asset management, certification of destruction, and financial considerations to account for.