The Wide Spectrum of IT Asset Disposal Practices

In Featured Articles by IAITAM

It wasn’t too long ago when business planners gave little or no consideration to things like LAN connections, wifi, internet speed, computers, printers, smart phones and all of the other Information Technology equipment that we have come to accept as mandatory for normal daily business operations.

As each year passed, the collective pool of business assets grew exponentially and with it grew the importance of IT asset management principles and practices used in businesses throughout the world. For decades, businesses of every imaginable purpose have embraced the use of IT assets to surge forward at the speed of technology. I also believe that business as we know it would not survive without the IT assets we have become so dependent upon.

It is widely accepted that IT assets add value to business on many levels; they have intrinsic value if owned, but more importantly they increase organizational value by helping to generate revenue which increases the overall worth of the business. Using the “right tools” for the job is imperative to how an effective IT asset management program is run, and within that toolkit is the knowledge that every asset has a general life or usage expectancy. In essence, if you buy it, you will eventually need to dispose it; thus we must recognize the need and value of an IT Asset Disposal program (ITAD).

Best Practices in IT Asset Disposal

According to WhatIs.comIT asset disposition (ITAD) is the business built around disposing of obsolete or unwanted equipment in a safe and ecologically-responsible manner”. Not only is ITAD an industry, it is also a mandatory action necessary for a healthy asset management program. The need (and the plan) to dispose of every IT asset should be considered during the acquisition phase. Whatever the planned disposition cycle is, whether owned or leased, specific disposal actions must be planned for a specified date, cycle or event. Best practices will vary dependent upon, organizational size, type of business, whether the assets are leased or owned, etc. If the assets are leased, then much of the responsibility falls on the shoulders of the lessor.  If the assets are purchased and owned by the organization, then ITAD responsibility falls directly on the organization. The people charged with responsibility in this area must plan for the disposal of assets using practices that are legal, ethical and secure. Recommended actions include:

Choosing the correct disposal vendor to meet organizational needs

  • Proper disposal does not happen if the equipment is simply thrown into a dumpster. When electronics are treated as garbage, they wind up as whole devices in a landfill. The organization possessing the equipment is responsible for their own and their vendors’ actions. Due diligence is required to ensure that the devices are being disposed of correctly. The vetting process when choosing an ITAD organization is paramount in maintaining data security and avoiding data breaches, bad press and enormous financial losses including fines

Services should include: secure pick up, delivery and disposition documentation for all specified equipment

  • Ample security must be maintained during the end of life of each asset during the physical transport. Disposal security involves insolating the organization from theft by using the best and most sensible methods available. The physical movement of the assets should be completed by the chosen disposal vendor (who many times, have their own personnel and trucks for pick-up of disposed goods) or utilize an approved shipping vendor that provides tracking services and insurance. The best way to properly mitigate the liability of disposal is to understand and follow all current regulations and laws and conduct fundamental practices such as researching and using the services of a reputable disposal vendor. Due diligence must be conducted in every phase of the process. A good practice to follow is to wipe each drive at the organization before shipping to an outside facility.

Certified data drive sanitation or destruction

  • The data drives should arrive already wiped by the organization. Now, the drives will be wiped again by the chosen disposal agent and certified as being cleaned and/or destroyed in accordance with specified regulations. Ensure data drives are sanitized using top-rated methods meeting the DOD approved NIST standard. Always remember if sensitive data is leaked, you’ll have to answer to the law and to your customers. Certification should show chain of custody, sanitization date and method, and if physically destroyed data destruction by serial number of the host machine and drive.

Remarketing all equipment that is still viable

  • Technology assets (such as PCs, laptops, and servers) that are less than three to four years old usually have resale value. There are many reputable disposal companies that are certified in asset disposal and proficient in the asset valuation process. Each piece of equipment needs to be audited to determine the value for either resale on the secondary market, and if not resale then disposal or recycling. All of this is part of a healthy plan of action to recoup value on your behalf through a variety of remarketing channels. Selling to employees or donating to schools or foundations are other avenues of turning your old technology into a source of revenue.

More about equipment recycling

  • A Certificate of Electronic Equipment Destruction(CEED) should be provided for all recycled IT assets. Possessing documentation that demonstrates or certifies that your organization took the proper steps in the disposal process is proof of due diligence and will help to safeguard your organization from fines and penalties due to improper disposal practices.

Compliance Reporting

  • Compliance reporting is a complicated time consuming necessity, especially if done manually. Many resources are devoted to being able to demonstrate compliance and provide evidence to auditors (or other reviewing entities) that security policy requirements are being met. Automating compliance reporting by implementing the proper account management tools will allow for the easy and accurate generation of the cumulative reports needed to determine a real-time compliance status. An automated process allows for exacting compliance information to be generated in a very timely manner. These reports provide instant status checks for IT Operations or Security team members, freeing up valuable time to focus on other tasks at hand.

Program and Policy Development For Asset Disposal

  • Proper disposal of IT assets requires the cooperation of everyone within the organization. Unifying the support of all personnel towards a common goal is effective only if everyone understands the mission at hand. A program that envelops all criteria pertaining to IT Asset Disposition must be disseminated on a regular basis to all personnel; policies are that delivery mechanism. To maintain a solid asset disposal program each functional group within the organization must be made aware of all disposal policies including the purpose, the benefits and risks and how each policy directly affects their functional area. For example, the finance group needs to know when an asset is disposed of for the purpose of accurately reflecting the organization’s asset sheet, and for tax reporting purposes. The IT Asset Management team should make no assumptions of how the disposal of an asset impacts another group within the organization, only that it does affect other business groups. There is no one best method; each organization needs to determine if program and policy development is best accomplished from within, or if contracting an outside vendor is the best method to achieve their asset disposition goals.

 

Worst Practices in IT Asset Disposal

Worst practices in IT asset disposal are all too common, and very easy to achieve; just do what is NOT considered best practices. Sadly, there are many organizations of all sizes that are ineffective in their disposal practices either by ignorance or by flagrant disrespect for rules, regulations, laws, and ethics. How many times have we heard about the illegal dumping of countless tons of CRTs in landfills and other disposal storage facilities?

The television program “60 Minutes” Periodically exposes some of the worst offenders. In one case, two unscrupulous men were convicted in December 2012 of multiple counts of mail and wire fraud and environmental crimes related to the illegal disposal of electronic scrap, smuggling and obstruction of justice. The DOJ said the defendants knowingly devised and intended to devise a scheme to defraud various business and government entities who wanted to dispose of their electronic scrap responsibly. The defendants represented themselves on a website to have “extensive knowledge of current EPA requirements,” the DOJ says, adding that the defendants falsely advertised to customers that they would dispose of electronic scrap in compliance with all local, state and federal laws and regulations. The fines, monetary restitution and prison terms were minimal in relation to the damages caused; then, and for many years to follow.

In ITAD Horror Stories by ITliquidators.com (ITAD Horror Stories) there are several accounts of improper ITAD practices.

Some of the stories include the City of Columbus, OH where improper disposal practices put the city at high risk for data-theft. The city was not practicing due diligence in keeping close track of all disposal records which allowed the city to be wide open to theft of this equipment since no one would know for sure whether or not the equipment was there to begin with. This was not an isolated case as the City of Columbus has a history of data breaches, with one occurring in 2007 when 1.3 million citizens had personal information put at risk when a data tape was stolen from an intern’s car.

There is the case of BlueCross BlueShield of Chattanooga when 57 hard drives were stolen from a storage closet within the company. These hard drives contained audio and video of customer service phone calls whose conversations divulged personal information from 1 million customers. The obvious issue here is that rather than implementing a proper ITAD solution for their retired assets, the company carelessly stuffed their retired assets in an unsecured closet where they were easily stolen. In the end, BlueCross BlueShield shelled out $1.5 million in penalty fees to the U.S. government and was forced to enact a 450-day corrective action plan for violating stringent HIPAA laws.

There are countless stories of ITAD mismanagement at every level of business; all of which can be traced back to individuals and organizations not following ITAD best practices. IAITAM’s industry publication ITAK has an article submitted by Arman Sadeghi of All Green IT Asset Disposition that makes clear the seven biggest disposal mistakes any organization can make in their ITAD process.

Mistake 1:  Provide Disposal Vendors with a Detailed Asset List

Mistake 2:  Perform Unnecessary Due Diligence

Mistake 3:  Assume All Certifications and Licenses Are Equal

Mistake 4:  Let Sensitive Data Leave the Site

Mistake 5:  Pay for Services that Should Be Offset

Mistake 6:  Allow ITAD Vendors to Pick and Choose

Mistake 7:  Not Enough Details in an RFP

The intention of this article makes clear the importance and necessity of Best Practices in IT Asset Disposition processes. There is a lot planning and labor involved in the planning, execution, and maintenance of an effective ITAD program, but the rewards are far-reaching and will benefit the organization with a better IT asset ROI and the benefit of not being exposed to the public for improper asset disposal practices.