How to Choose an ITAD Provider? Not an Easy Task

By Jeffrey Dean

Introduction

Since the introduction and acceptance of the computer as a necessary and standard business tool, the advancement in technology can only be expressed as staggering! While advancements in IT provides efficiencies and added productivity for individuals and businesses, it has also has created ongoing challenges for security professionals tasked with designing countermeasures to mitigate vulnerabilities associated with the use of IT assets. While there are many issues which must be addressed, the most important are those associated with the protection of the data used by and stored within IT assets. These challenges extend to those companies who provide disposition services for IT assets that have been designated as no longer useful by the owner.

The disposition of unwanted IT assets is increasing handled by an emerging industry, Information Technology Asset Disposition –or- ITAD. While the ITAD industry continues to evolve and vendors continue to increase their capabilities to support clients and the industry as needed, the majority of the IT disposal market remains with small, local vendors; many of which are in the business to ship the assets to third world countries or simple remove from the asset those components for which they desire, and dispose the rest…in a landfill.

Responsibilities

Do companies take the proper precautions to safeguard their brand name by not only ensuring appropriate disposal of retired (end-of-life) IT devices per environmental regulations, but also ensuring these devices have been properly sanitized and all sensitive data destroyed?

Significant research has been completed which has identified specific reasons why companies should have a robust IT lifecycle management system in place that includes how they intend to disposition assets deemed no longer useful. Proper management of end-of-life assets can not only reduce ongoing costs by ensuring the cancellation of software licenses and using funds obtained through the remarketing of assets to off-set some of the costs for new assets, but most importantly, to protect the company’s reputation by ensuring effective data sanitization and an environmentally safe disposal. Even with several federal and state regulatory requirements in place that specifically address information security and electronic waste disposal, many companies elect to use unreliable disposal vendors and/or to simple not address the issue by locally storing unused assets. Many of the companies that have a robust management system in place have elected to do so only after they have been subject to scrutiny for data loss or not embracing “green” practices.

Selecting an ITAD Partner

Since the ITAD industry appeared with the emergence of the electronics industry, it has been dominated by a plethora of small companies, many of which treat ITAD as general waste. As the advancement of technology progressed, and the projected monetary worth of the global ITAD market significantly increased, the industry has matured with companies formed who specialize in not only providing disposition services, but having the capabilities and national / international footprint needed to support large customers. As the ITAD industry matured, it was quickly realized that procedures used to address the two primary risks associated with ITAD, data security and the disposition of e-waste, had to mature as well in order to keep pace with new technology and ever-changing regulatory requirements. So, with the many companies claiming to be the best, how do you select that one company best suited to provide the services needed to best support your program?

While reputable ITAD providers embrace the concept of ITAD, their processes differ. Vetting these providers can be difficult unless your request for information is specific for this industry. Initially, you need to reduce the potential providers to a manageable number. This can be accomplish with some general guidelines or requirements you desire, such as:

  • Is the provider a well-established company?
  • Is ITAD all they do?
  • Has their data-wiping software been validated?
  • Do they have an online portal for serialize asset tracking?
  • Do they provide a serialize data destruction report?
  • Are all operations clearly documented?
  • Do they follow data sanitization guidelines using NIST 800-88 Rev. 1?
  • Do they understand laws and regulatory requirements concerning data protection, data loss reporting and disposal of e-waste?
  • What industry related certifications are in pace at all of their operating facilities?

In addition to having robust processes for proper disposition, ITAD companies must also ensure the physical security of assets, and the data they contain. Comprehensive and overlapping security processes, procedures and systems are essential in the protection of data bearing assets throughout the disposition process. Clients trust their reputation and brand name, as well as the information stored within IT assets, to the company performing ITAD services. While many ITAD companies provide a level of indemnification to their clients for the loss of data, any loss would result in an attack against the clients reputation and brand name; an issue that any level of indemnification cannot compensate the loss.

Once you have narrowed your selection to a reasonable number of companies, you can begin to ask specific questions designed for this industry. I recommend using ITAD company certification requirements outlined within Asset Disposal and Information Security Alliance’s (ADISA) Standard. ADISA is an industry accreditation scheme for companies who provide IT Asset Disposal services. This certification standard outlines the criteria a user of these services should be reviewing prior to making their selection of an ITAD partner. This standard measures 200 separate criteria in the following areas:

Module 1: Business Credentials: When choosing a supplier for these critical IT Security Services, the best place to begin is with an assessment of the status of their business. This includes basic financial checks, verification of claims for certifications, levels of insurance and investigation and verification of permits held.

Module 2: Logistics: Module 2 focuses on the logistics activity associated with the transportation of assets from the client’s site to processing facilities. Risk of loss of assets during this process is assessed both in terms of the probability of physical loss or theft but also in terms of control and management of the chain of custody. It is imperative that at the point of collection equipment is controlled, such that verification on receipt is confirmed and the risk of potential losses during logistical transfer is minimized.

Module 3: Processing Facility: Companies that offer IT Asset Disposal services come from many different backgrounds and the way in which equivalent services are delivered can vary dramatically, not only company to company but also site to site. For this reason, the assessment of each individual processing facility is essential to deliver an independent verdict on the capability of an ITAD to meet all required elements. This module assesses all aspects of the ITAD processing facility.

Module 4: Waste Management: This module seeks to offer a basic assessment of a certified company’s capability for handling WEEE and/or e-waste.

Module 5: Re-Use: This module looks at how each ITAD can make products ready for re-use, so that the second (or third) life of the asset offers the user confidence that it has been processed for re-use in the best possible way.

Module 6: On-Site Services: For many end-users the risk of releasing assets outside of their own control is too great and as such they often wish to conduct data sanitization services on their own premises.

Summary

Do companies take the proper precautions to safeguard their brand name by not only ensuring appropriate disposal of retired (end-of-life) IT devices per environmental regulations, but also ensuring these devices have been properly sanitized and all sensitive data destroyed?

Significant research has been completed which has identified specific reasons why companies should have a robust IT lifecycle management system in place that includes how they intend to disposition assets deemed no longer useful. Proper management of end-of-life assets can not only reduce ongoing costs by ensuring the cancellation of software licenses and using funds obtained through the remarketing of assets to off-set some of the costs for new assets, but most importantly, to protect the company’s reputation by ensuring effective data sanitization and an environmentally safe disposal. In order to achieve this objective, companies must have a detailed disposition plan in place that includes an ITAD partner who have been thoroughly vetted and can be trusted to protect and sanitize data and dispose of e-waste in an environmentally safe manner.

About the Author

Jeffrey Dean is the Vice President – The Americas of Adisa.