Checklist: Protecting Data During IT Asset Disposition

By Sean Magann

While not every business is required to protect each speck of data stored on their IT equipment, most companies find it’s in their best interest to do so anyway. However, without structure or guidance along with the large variety of devices storing data such as servers, hard drives, mobile devices, printers and more, some data can be overlooked by accident.

In an evolving environment, IT leaders will continuously need to recognize new methods for data protection not only on working devices but on retired IT assets as well.

According to a worldwide survey nearly two-thirds (64 percent) of consumers say they are unlikely to do business again with a company that experienced a breach where financial information was stolen. In addition almost half (49 percent) had the same opinion when it came to data breaches where personal information was stolen.

Currently most companies are focusing strongly on beefing up their digital security, so data thieves may try to search for the lesser known holes in security where there may be less resistance. Security gaps often overlooked are those that exist during IT asset disposition. Thankfully, there are things you can do to ensure that at least during the disposition of your IT equipment, those gaps are filled.

Make sure data is legitimately wiped

Various options for data wiping exist. There are programs you can purchase and there are companies who can do this for you. If done correctly, data wiping procedures are generally 99.999 percent effective, a percentage acceptable even for the United States Department of Defense.

While performing this task internally can be a legitimate solution, we like to point out the statistic holds true only “if done correctly”. Therefore, it’s recommended to ensure accountable data destruction by outsourcing this service, especially for companies in need of wiping a large amount of hard drives. It is advised to work with a vendor who is capable of maintaining the system development to support ongoing updates as well as fail-safes for scenarios where the wipe is unsuccessful. This will help you feel more confident that your vendor is continuing to improve their systems so you know their solution today, will also be viable tomorrow. Your IT asset disposition vendor should have the operational excellence to ensure nothing will slip through the process and they should also be cognizant of continual technological development. Recently, for example, there have been issues with the wiping of solid state drives and some models of mobile devices.

Otherwise some vendors can offer secondary verification of hard drives as well. This is a process where the vendor will take a percentage of the wiped hard drives and verify again that all data is removed. This could provide you further reassurance that all data has been removed securely. This type of service is generally done on a regular basis to maintain the quality of the service and ensure data wiping accuracy.

Either way, if data wiping is a task completed internally or through a vendor who solely offers this service, what happens to the physical hard drive? Some companies can offer holistic solutions that also provide the opportunity to reuse or resell your equipment providing you with a higher value recovery and a better solution environmentally. It is advised to be very selective if you do choose this route by starting with the development of a comprehensive RFP to assist you in your vendor selection.

Review the security of equipment during transit

Electronics tend to be one of the more sought after products when referring to cargo theft. In 2012 Freight Watch International provided a global average value per theft incident of $382,732 for electronics2 and this doesn’t take into consideration the value of the data stored.

With a variety of solutions for data wiping, one of the first steps is getting the equipment to the facility for these services to be conducted. Internationally there is an association setting standards for secure transportation referred to as the Transported Asset Protection Association (TAPA). This certification is one to note, but otherwise physical auditing of the transportation process is the best approach to ensuring your equipment will arrive safely.

It is important to point out that when a vendor drives away with your retired IT equipment the risk isn’t removed as well. If a company’s laptop was stolen from a truck and data were exposed, the company would still be liable. Therefore it is always recommended to have a dedicated truck that only holds your material and to ensure there is a seal on the back of the truck that is recorded prior to departure and upon arrival at the processing facility.

Alternatively, over the past five years more options for data destruction to occur at your location have arisen. Sims Recycling Solutions in particular has mobile shredding vehicles with shredding technology that can physically destroy thousands of hard drives per day. This service can begin with wiping and/or degaussing of hard drives right there at your office’s location. Hard drives can then be loaded onto the truck and fed through the physical shredding system right then and there. The costs for a service such as this are minimal when compared to the costs that could accumulate as a result of legal liability and fees, and loss of future business.

Determine if the destination has proper tracking and facility surveillance

While it’s important to ensure secure transportation of IT assets, it doesn’t just end there. The next step is making sure all items will remain secure once they arrive. Security and tracking of IT assets while they are processed at the disposal facility is important for a few different reasons. The security features of the building (which should typically involve restricted access, 24/7 surveillance, on-site guards, metal detectors, and more) will protect any confidential or proprietary equipment that could potentially exist. Otherwise thorough tracking of assets through serial number capture, scanned barcodes and sophisticated internal reporting systems will provide you with the ability to understand where your assets are and report back on these items for internal records.

There are two certifications that are valued in the industry which are aimed to help businesses identify and understand security measures in place. In understanding security measures more efficiently, IT executives can quickly and easily narrow down their vendor selection. ISO/IEC 27001 is a standard that introduces best practices for organizations to manage the security of assets such as financial information, intellectual property, employee details or client data. This global certification is valued among the other ISO standards and is becoming more common in the IT asset disposal industry.

The Asset Disposal and Information Security Alliance (ADISA) is another standard, launched in 2010, which is specific to the IT asset disposition industry. Assessments for this certification involve unannounced operational and forensic audits by United Kingdom Accreditation Service (UKAS) certified auditors. This provides global businesses with reassurance that certified vendors operate to the highest industry standards and reflect best practices for the handling and carrying of IT assets at their facilities.

Vendors without these security certifications could very well offer a suitable high-security service, you just won’t know for sure until you do further due diligence.

Understand resale channels and confirm ethical methods for reuse

While data security is priority, some vendors offer solutions for the hardware disposition as well. If any equipment still holds resale value, refurbishing and remarketing services can be a great way to maximize your return-on-investment. This is an area however, where you must proceed with caution.

It is usually ideal to work with one vendor. However even if you’re comfortable with one service your vendor provides it is smart to do your due diligence and understand all services offered, as if you were using separate companies for each service. In the long run it will prove worth your time.

Risks that could be posed include the following:

  • Selling equipment with data that remains or is recoverable,
  • Poor tracking of assets, leaving question to the inventory of remaining assets, and/or
  • Pricing items inaccurately, robbing you of your potential return.

There are a few things you can do to add some credibility to a vendor’s reuse processes.

1. Determine how items are resold
If an item uses a platform such as eBay, look up and review their profile to understand their using ratings and become familiar with the inventory and buyers.

2. See the process firsthand
If it’s possible, go to the site and witness the operation in action. Do the employees appear to have strict standards and protocol? Are the services being conducted in a secure environment? Are items being handled carefully and cleaned prior to being packaged and resold?

Often knowing and understanding the operations a little more intimately can provide a better eye for illegitimate processes.

Confirm end-of-life assets are shredded and recycled

If an IT asset has undergone data destruction and no longer holds any resale value, asset disposal would be the next step. It is important to ask questions about the final disposition of your end-of-life IT assets because if done irresponsibly your company would suffer the repercussions. There are parts of the developing world illegitimate recyclers have used to dump old e-waste. If your equipment ended up in a third-world country someone could potentially pull the asset tags and determine you were a company contributing to the toxic environment and wrongful disposition of e-waste.

Whether you or your vendor is handling the data wiping the process should include removal of hazardous components, shredding of equipment and then separation of the shredded commodities. Those commodities of value are then sent to downstream recyclers for reuse. Those refined commodities are then sold to manufacturers to be made into new products. Recycling vendors usually provide certificates of destruction and recycling, and in some cases allow you to witness the destruction, providing you with a certificate of witnessed destruction as well. These documents could be helpful for compliance or security documentation as well as for any reporting or recognition for environmental efforts. This service also leaves you with the peace of mind in knowing your old equipment is shredded into pieces, leaving minimal risk for data retrieval.

As data breaches become more sophisticated there will only be an increasing number of security protocols to watch for. As a recipient of the 2015 Computer Security Magazine’s “Secure Data Erasure Company of the Year” award, Sims Recycling Solutions recommends ensuring data destruction prior to the equipment leaving your facility. The on-site services provided by Sims makes this option possible in a high-security setting. Otherwise these five steps should help validate your vendor selection and avoid any risks tied to data exposure as a result of IT asset disposition.

For more information on IT asset disposition please visit the Sims Recycling Solutions website.

Sources:

1. http://www.darkreading.com/attacks-breaches/global-survey-by-gemalto-reveals-impact-of-data-breaches-on-customer-loyalty/d/d-id/1323525
2. https://www.naed.org/NAEDDocs/Research/Legal%20Issues/FreightWatch%202013%20Global%20Cargo%20Theft%20Threat%20Assesment%20Full_0.pdf

About the Author

Sean Magann is the Global Vice President of Sales & Marketing at Sims Recycling Solutions.