During the last CITAD class we were discussing the topic of Due Diligence and different things we can do to validate our vendor, their qualifications & capabilities, and more importantly define the process for how the disposition services will be performed and associated expectations. One of the concepts that runs central through all ITAM best practices is to have a defined process and your ITAD services are no exception.

When we think of KPA’s we can break them into categories like Core, Operating and Controlling. What I want to talk about is what type of documents should we have in place before we start working with a vendor, Controlling Documents, to ensure we will be getting the service and support that you need to support your ITAM Goals and ensure we minimize the risks associated with security, compliance, and sustainability, relating to end-of-use IT Assets.

1. Master Services Agreement or MSA.

This agreement establishes the foundational terms & conditions governing the relationship between your organization and the vendor. Some of the key facets are Liability, Insurance, Indemnification, Confidentiality, Compliance and Financial Requirements. This is kind of like the legal playbook and defines the terms for like, “What Happens When”.

2. Statement of Work – SOW.

This defines the services, the process and creates Service Level Agreements (SLAs) with details like timelines, scope of services, credentials, points of contact, reporting/documentation and pricing. This SOW must align with the MSA and help to govern the overall relationship.

3. Quote for Services

This would be a specific quote for a project that is covered by the terms and conditions of the MSA and SOW but would give some guidance relating to price, timelines, and services. It could be used for budgeting guidance or even be tied to a PO for a disposition service or special project like a refresh or acquisitions.

4. Security and Environmental Documentation

This would consist of insurance reviews, certifications like e-Stewards and NAID, R2 RIOS and others and their respective independent audit results. It should also document the recycling process and how the downstream vendors are managed as well as the operating history of the vendor. There should also be some oversight for logistics and general management for the transfer of ownership.

This is not an exhaustive list of everything you may want to have defined, but a good starting point to help protect your interests as well as those of your vendor. Think about what you have in place and what you may need to define and document!