Performing IT Asset Disposal Vendor Due Diligence (Part 2)

Posted by Frank Milia

Apr 1, 2015 8:38:00 AM

Part 2: Documenting a Site Visit to an IT Asset Disposal Service Provider

In this second installment of best practices for vetting a disposal vendor and documenting a process for electronic waste disposition IT Asset Management Group (ITAMG) is advising organizations to prepare for audits around eWaste recycling, environmental compliance, and data security for end of life media and IT assets by performing and documenting a site visit to the disposal vendor’s facility.

ElectronicsRecyclingFacilityIn the first post ITAMG described the importance of having a Master Service Agreement that covers the critical components of any IT asset disposal program.

It is important to note that the burden of performing due diligence when selecting a vendor and developing a compliant process extends further than signing an agreement with a third party vendor. It is in the stakeholders’ best interest to investigate and document firsthand the capabilities and infrastructure of any vendor handling electronic waste or data destruction projects regardless of the reputation, certifications, or track record the vendor may present.

Performing a site visit will help your organization vet a computer recycling firm by confirming and documenting several attributes and capabilities of the vendor. Consider you may be looking to confirm something as basic as the recycling vendor is operating inside a building with four walls and an enclosed roof (which is not surprisingly a requirement for many 3rd party certifications) all the way to more complex receiving, audit, and technology driven capabilities of the vendor such as the inventory tracking system, data wiping, and refurbishing capabilities of the firm.

Key attributes of the recycling facility and process to document:

  • Access controls and security of building, technical areas and warehousing
  • How and where shipments are received
  • Tracking process for loads and assets from receiving to shipping (recycle or final sale)
  • Process, tools, and infrastructure used to wipe and physically shred or destroy hard drives and other electronic storage devices
  • Inventory management system capabilities and equipment audit process
  • Inspection for general health and human safety conditions
  • Dismantling, refurbishing, technical, and packaging capabilities of the site

During your visit to the electronics waste recycling or IT Asset Disposition vendor’s facility take careful notes on the vendor’s process, infrastructure, tools, software, and volume of equipment in processing and assets in warehousing.

Ask questions to determine if the amount of assets your firm will be generating for disposal is in the scope of what the operation can handle. Use your best judgment to determine the capability of the vendor to service your needs in a timely manner.

Some vendors may have issues with photos being taken in certain places, but where allowed take as many photos as you can and use these photos to document your visit, the process, and capabilities of your selected vendor.

A documented site visit is a powerful display of performing due diligence and to mitigate liability of an unlikely breach or exposure that could occur from an improper computer disposal.Once you have performed and documented your disposal vendor site audit, consider setting a reoccurring meeting to go over any major process or facility changes that may occur over time.

In the coming weeks we will be following this post with more on how to document your due diligence in sourcing downstream waste handlers, maintaining a secure data destruction program, and other important asset management, certification of destruction, and financial considerations to account for. 

 

Download the ITAMG Inventory Template Today to Get The Best Value For Your Company's Responsible Recycling:

Tips & Inventory Template  

more

Topics: IT Asset Disposal, Electronic Waste Management, Risk Management

Calculate the Value of Used Computer Equipment

Posted by Frank Milia

Sep 16, 2014 2:27:53 PM

Perhaps the most common question people ask IT Asset Management Group is how do we figure out what surplus IT equipment is worth? In order for ITAMG to provide our clients with bids, proposals, and projections for surplus and end of life computer equipment, we research the most current sales pricing and values available on the secondary markets. We analyze the inventory of equipment our clients wish to dispose of and use recent sales and current offers on equipment in order to gauge what a fair market value is.

 

IT asset disposal ny

 

The value of used IT equipment is no different than any other product or commodity and is governed by the laws of supply and demand. New software platforms, product releases, regulations, canceling of product lines or support and technology trends will change consumer demands for refurbished computer equipment and in turn effect the value of equipment on the secondary markets and what an IT asset disposal vendor will be able to pay out during a liquidation.

For instance, the value of useful equipment can be drastically reduced when a large organization disposes of a high volume of equipment in a small period of time. If a company decides they are no longer using a specific blade server, and disposes of thousands of a specific type of blade, the market will become flooded with this item.  In this situation, regardless of the equipment’s technological viability, the price will plummet on the secondary markets.

These factors are why ITAMG relies on the most current market information in order to develop our pricing and sales strategies. We work with enterprise clients to develop programs and processes to increase the returns during computer liquidation.

We understand our clients' and community may benefit from a tool that would provide quick estimates on what surplus computer equipment may be worth. That is why we developed the ITAMG Depreciation Calculator that enables our clients to plug in the original purchase price of equipment and determine the deprecation cycle stage as well as an estimate on what the fair market value of the equipment might be.

Download the Depreciation Calculator

ITAMG does not use this calculator to determine value propositions or bids for used computer equipment, but it is a handy tool to develop a refresh strategy and estimate how much returns a future disposal could generate.

Get The Depreciation Calculator

 

more

Topics: IT Asset Disposal, computer hardware, Computer Liquidation

5 Attributes of a Successful IT Asset Disposition Program

Posted by Frank Milia

Aug 25, 2014 2:29:00 PM


Government agencies, corporations, and various institutions are taking measures to improve IT asset management and disposition practices in order to mitigate risk of a data breach, achieve environmental initiatives, and ensure optimal financial performance. The following are some key pieces to building a secure and efficient IT disposal program.  

Apple_Equipment_Liquidation


 

1. Implement and utilize an asset management and inventory system

An asset management program’s success will be driven by the inventory tools and processes in place to track assets from cradle to grave, or in other words from the time of an asset’s implementation until the asset is recycled or liquidated. The inventory management system should be utilized to document when an asset is disposed of, its final destination (vendor and asset status), and what administrator or manager signed off on the disposition.

Having robust asset management data that includes model numbers, serial numbers, and other attributes and specifications of equipment also allows an organization to bid out an asset disposal contract more effectively and for more competitive returns.    

2.Track and maintain documentation of disposition and data destruction of assets

Asset management disposition data should be reconciled with the data provided by a firm’s disposal vendor. These inventory reports, settlements, and certifications of destruction and proper handling should be maintained in accessible formats.

The most sophisticated asset disposal programs utilize integration with a disposal vendor’s asset management software in order to confirm and document the disposition of an asset.  In the case of a full integration an asset management team can mark an item as shipped or disposed of and track the receiving, processing, sale, or recycling of the asset.

3. Sign a formal agreement with an IT asset disposition vendor or managed service provider

Take the steps to put an agreement in place with an IT asset disposal provider that documents your firm’s due diligence, understanding, and expectations of the vendor and performance milestones of the disposition program.

A standard Master Service Agreement (MSA) should include the following:

  • Data security and privacy policies (including process for disclosure of potential exposures)
  • Commitment to environmental recycling controls and compliant waste management

  • Insurance coverage

  • Overview of service levels, process, financial obligations, reporting and billing standards

4. Develop a data destruction process driven by NIST 800-88 Guidelines for Media Sanitization

If you’re unfamiliar with NIST 800-88 you can learn more from this introduction blog entry.

Developing a data destruction program to the best practices outlined by NIST 800-88 will ensure end of life data security as well as develop a process to maintain audit ready documents that are necessary to validate a firm’s data privacy compliance.

A program following the NIST 800-88 method will identify risk, categorize media, select effective eradication methods, set quality assurances, record and certify destruction of assets, and place responsibility of the program’s success on senior managers.    

Every organization should be considering the risk of a data breach caused by improper data sanitization and set eradication methods and disposal processes according to data privacy laws and industry specific regulations (e.g. HIPAA for health and human services).

5. Create an accounting mechanism to keep liquidation returns in the IT budget

IT asset managers and acting directors are tasked to quantify value to executive management and IT operations. Efficient liquidation of assets can yield significant returns, and these financial recoveries should not go unnoticed.

IT asset managers should develop accounting mechanisms to track returns from the disposal program as well as to keep the funds in the IT budget. This can be achieved by using a credit system for future product purchases or services instead of receiving direct payments from a disposal vendor. The disposal provider can provide goods and services directly or partner with an OEM or VAR to do so.  



Learn More About IT Asset Disposal Best Practices:

5 Data Destruction Tips



 

more

Topics: IT Asset Disposal, IT Management, data sanitization, NIST 800-88

5 Lessons CIOs Can Learn from Star Trek: The Next Generation

Posted by Frank Milia

May 12, 2014 10:22:00 PM

Avid Star Trek fans and casual viewers alike probably agree that the show’s success is thanks to the moral and philosophical narratives that overshadow the fun science fiction, campy action, and special effects of the series.

IT Asset DispositionThe above image is from NASA.GOV. ITAMG is not affiliated with NASA and our use of this image does not imply NASA approves of this content or in any way endorses or utilizes our IT asset disposal services.  

Recently I began to notice there were many managerial lessons to take away from the crew of the Starship Enterprise. In tough leadership dilemmas I even find myself asking the question- what would Captain Picard do? That is other than ordering up a tea, Earl Grey, hot. I’m more of a coffee drinker.

The following are 5 Tips from the TNG leadership that could improve any CIO or executive management team.  

1. Hire a “Chief of Security”, like Worf, and prioritize the security of your network, data, and fixed assets from attack by insiders, competitors, and criminals. In a recent PwC study “The Global State of Information Security Survey 2014” 18% of the companies surveyed felt their greatest obstacle to improving information security was due to a lack of experience and leadership from a CISO / CSO. Take a lesson from Picard and put an experienced security professional in charge of developing and implementing your security strategies. Worf always put security measures ahead of any other goal and you need a dedicated resource to do the same for your firm.

2. He may not be a beloved character but there is a lesson to be learned from the accelerated promotion of young Ensign Wesley Crusher. There is no place in or outside of the workplace for age, racial, gender, or any other type of discrimination. It is important to invest in all available talent through continuing education as well as to promote inside staff whenever possible. Furthermore young energy and fresh perspective can create an exciting and creative approach to problem solving. There are also programs like All Star Code that can help your organization cultivate new technology candidates in communities that are currently under represented in the field. Well before attending the Academy Wesley Crusher proved himself as an unrivaled problem solver and a key member of the Enterprise’s success.  

3. Follow the “Prime Directive” and do not abuse or over extend the power of your technological advancement. The culture of an information technology department should be one that champions service, availability, security, and innovation with the goal of supporting the key mission of the organization. Technology should provide for and enable users and never be utilized to inappropriately collect information, or interfere with the organization’s core operations. The best IT departments will provide service to users with a soft hand and a light presence. A CIO should disseminate a mission statement that matters- give your team a cultural identity and code of operation, and then make sure they live it.

4. During difficult times make sure as a leader you take a tour with the “away team”. An effective leader takes the time to report to the trenches in order to obtain a direct understanding of the challenges the team faces. In the most critical situations Captain Picard or First Officer William Ryker would step into action to ensure success.  Getting on the front line of issues now and then will command respect from your employees and make sure you are analyzing problems with a real world perspective.  

5. Boldly go where no CIO has gone before. Technology is now the foundation for the success of almost every business or institution. In order for a CIO to be successful he or she needs to be a master of the mundane (think email and help desk) as well as the intellect behind innovation (think analysis of big data, transition to outsourcing and cloud services, and development of core business processes). More often than ever CIOs are being considered for CEO positions as organizations look to the CIO to lead the company's overall direction and drive profitability through efficiency and lean processes. In any leadership role it is important to be free to experiment, change the course, and head into the unknown.           

 

Are you concerned about data destruction and running a media disposal program consistent with best practices (NIST 800-88)?

 

Download 5 Data Destruction Tips

more

Topics: IT Asset Disposal, Management Tips, IT Management, Information Security

Intro to NIST 800-88: Data Destruction Best Practices

Posted by Frank Milia

Dec 5, 2013 8:24:00 PM

Attackers are targeting easier to access confidential information housed on company hard drives that are improperly disposed of.  One must have data destruction policies and procedures in place to ensure a data breach doesn’t occur. In the Guidelines for Media Sanitization (NIST Special Publication 800-88 Rev 1) best practices from the National Institute of Standards and Technology are clearly provided.

In this document three forms of compliant sanitization are defined: clear, purge, and destroy.

 

  • Clear: Overwriting storage space with non-sensitive data is one way to sanitize media. This method is not effective for media that is damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable sanitization method [SP 800-36].
  • Purge: Acceptable forms of purging include degaussing and executing the firmware Secure Erase command (for ATA drives only).  In degaussing a magnetic field is used to sanitize media. Degaussing is effective when working with damaged media, purging media with exceptionally large storage capacities, or for purging diskettes [SP 800-36].
  • Destroy:  Sanitization methods used to completely destroy media include Disintegration, Pulverization, Melting, and Incineration.  Destruction methods are typically outsourced to an organization capable of performing these tasks safely and effectively.  Pulverization is commonly referred to as Hard Drive Shredding in the IT asset disposal industry.  

 The NIST 800-88 document provides the below Media Sanitization Decision Matrix containing media-specific lists regarding the options of clear, purge, and destroy.  

Capture

 

Media that contains proprietary, confidential material, or is otherwise deemed to be a high risk must be given priority and the strictest controls and destruction methods should be employed.

 

Learn More And Download the 5 Most Important Tips from NIST 800-88

 

Download 5 Data Destruction Tips

 

ITAMG handles media sanitization in accordance with the National Institute of Standards & Technology (NIST) Special Publication Series 800-88. We can work with you to implement the most appropriate methods of disposal for your media and establish your secure and audit ready data destruction programs.

more

Topics: IT Asset Disposal, data security, data destruction, data sanitization, NIST 800-88

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com