Five Steps to Building an ITAD Program

By Brooks Hoffman

For most businesses, there’s a growing recognition that IT Asset Disposition (ITAD) isn’t just about managing e-waste. Organizations know that limiting data privacy risk, lowering Total Cost of Ownership (TCO), and ensuring sustainable business operations requires a complete lifecycle approach to managing hardware assets – including a set of well-documented and implemented policies and procedures.

The fact is that record growth in PC and device demand, coupled with an increasingly distributed workforce, has raised the level of risk significantly.  Businesses are dealing with  increasing and rapidly-changing government regulations and industry standards aimed at ensuring data privacy and/or sustainability that have far reaching implications for the management of end-of-life IT assets.  Organizations are well aware of fines, lawsuits, reputation risk, and other ramifications from their failure to comply.  It’s no surprise that a recent survey by IDG and Iron Mountain showed that data security tops the list of concerns of IT leaders in managing retired hardware, followed by the ability to meet local, state, federal and industry regulations

You know the consequences and the stakes, but perhaps don’t know where to start building a formal ITAD program. You’re not alone. Some 60% of medium-to-enterprise size organizations have no ITAD program in place. Half of businesses hold on to end-of-life IT assets, and worse, nearly one quarter don’t wipe data from those assets, according to IDG.

Where do I start?

The most important part of building an ITAD program is to develop a framework and a process for managing retired assets that ensures a secure chain of custody – an auditable paper trail that establishes a record of the control, transfer, and final disposition of all hardware and magnetic media.   Secure chain of custody is a critical ITAD success factor because it ensures compliance, reduces risk, and facilitates better cost management.

Starting from this point will ensure that the ITAD program ties together all of your organization’s goals for sustainability and environmental responsibility, data privacy, and compliance with industry and government regulations.

What steps do I take to implement an ITAD program?

With the overriding objective of establishing a secure chain of custody, you can now begin to take steps to implement a successful ITAD program. These include:

  1. Assemble a multi-stakeholder team to develop and enforce the policy. If you don’t have someone currently handling your ITAD program, you’re not alone. It’s one of the most common issues we see.  Start formalizing ITAD by bringing together members of IT, Procurement, Security (both digital and physical), Legal, Sustainability, Finance and Facilities Management (those old laptops and phones are being stored somewhere). This team should develop a policy that defines the asset types, which ones should be tracked, requirements for tracking them, how they should be sanitized, and appropriate methods of disposal.
    Once the policy is created, appoint champions to communicate it and implement a formal training regimen to ensure that employees understand and follow it. Most importantly, make clear the consequences for not following the policy.
  2. Institute strong internal controls. One of the biggest problems we run into is a lack of knowledge of where all of the IT assets and media are, especially those tat are no longer in service. The policy should define the procedures for tracking assets, including assigning ID numbers. This information should be accessible in a centralized system that enables users to determine the location and status of the assets – from initial procurement, during their entire service lives, through final disposition.  Internal controls should also include measures to prevent access to devices once they are taken out of service, but be mindful that encrypting data is not the same as data sanitization. Wiping or physically destroying the data bearing media will still be required for full lifecycle management.
  3. Decide what you need to destroy on-site. The increase in data breaches, coupled with greater regulatory compliance concerns has led more organizations to require that all data bearing media be destroyed or sanitized before it ever leaves their premises. Regardless of whether the data destruction occurs onsite or offsite, you should utilize intent lists and reconciliation to the vendor’s final audit report in order to confirm that nothing was missed or overlooked in the process.
  4. Consider what happens when items need to be trucked off site. Transportation is a critical link in the secure chain of custody. If your ITAD vendor is using third party carriers (3PL’s) to transport retired assets, problems can occur.  All vehicles should be locked, alarmed, and GPS monitored.  Drivers should be subjected to criminal background checks.   Secure transportation plays a huge part in ensuring that all assets arrive at their intended destination so that they can be properly remarketed/resold, recycled, or destroyed.
  5. Be mindful of certifications vs. certificates of recycling. A certificate of recycling is just a document. Certifications by reputable third parties such as e-Stewards and R2 demonstrate that all retired equipment will be processed in accordance with environmental standards, employee health and safety regulations, and data security laws.

While third-party certifications can provide additional assurance of an ITAD provider’s compliance with applicable regulations and industry best practices, you should also undertake your own independent due diligence. Understand how the provider ensures secure chain-of-custody of the assets. Investigate your ITAD partner’s ability to provide detailed and automated reporting. You should be able to receive audit reports that list the individual weights, makes, models, and serial numbers of each asset processed. Visit the company’s facility and interview their existing clients.

The PC market had its fastest growth in 20 years during the first quarter of this year. Smartphone sales are forecasted to rise by 11% in 2021. Global e-waste is projected by the U.N. to reach 74 million tons by 2030, almost double the amount that was produced in 2014.

It all means that ITAD will increasingly become a crucial part of IT asset management, data security, and Environmental, Social, and Governance (ESG) strategy.  Be an ITAD leader and begin formalizing your program today.

About the Author

Brooks Hoffman serves as Principal on the Product Management team for Iron Mountain’s Secure IT Asset Disposition (SITAD) service. He is responsible for coordinating the global delivery of SITAD across Iron Mountain’s current network of 27 countries. Brooks possesses over 17 years of experience in the ITAD industry, having formerly co founded and served as CFO for LifeSpan, a national ITAD firm based in Denver, Colorado. He is a member of the e-Stewards Leadership Council and is a frequent speaker and author on the subjects of Data Destruction, Third-Party Certification, and ITAD Best Practices.