Secure IT Asset Disposal and the Shortcomings of Compliance

Share Button

The continuous process that it is, IT asset tracking commences when an order is placed and doesn’t stop until the equipment has been removed from the organization, destroyed, or recycled.

However, disposal of electronics is not as simple as it may be made to sound. What happens is that most organizations do have formal policies for secure disposition in place, but the issue is that many tend to experience significant compliance gaps.

That said, following are some considerations for closing these compliance gaps. And we’ll throw in others for protecting your data, your organization, and the environment for good measure.

Familiarize yourself with Applicable Privacy Laws

If your company is subject to regulations such as HIPAA, HITECH, or GLBA, make it a point of ensuring all computer disposal procedures are compliant.

The best practices for prepping IT storage media for disposal can be found in the NIST (National Institute of Standards and Technology) Special Publication 800-88. It lists the three major types of data disposal processes as clearing, purging, and destroying.

Clearing entails overwriting storage space with non-sensitive data, but this would be a fool’s errand when we are talking damaged media or that which cannot be overwritten.

Purging, on the other hand, includes processes such as degaussing (acceptable for damaged media) and the use of firmware Secure Erase command (in the case of ATA drives).

And then there is destruction. It includes processes such as pulverization, disintegration, incineration, or melting. Of course, these are not done in-house most of the time. Rather, they are outsourced to recycling companies with the right equipment, capability and safety procedures.

Don’t forget to check privacy laws applicable in your state too. California, for example, is against sending electronic assets to domestic or foreign landfills.

Protect Data

Data protection is one of the key concerns during IT asset disposal. If discarded equipment happens to fall in the wrong hands, it could be mined for personal or financial information – not to mention valuable intellectual property.

And finding a trusted company that can do it for you is of critical importance. Remember the 2013 incident in the UK when the National Health Service (yes – national) neglected to keep track of the company contracted to dispose IT equipment? The outcome was pretty embarrassing after an ordinary Joe happened to purchase a machine that contained more than three thousand patient records.

Data breaches can be disastrous, occasioning in fines, criminal charges, reputational damage, and loss of revenue. Make sure your equipment disposal procedure provides for secure data erasure before an asset leaves the premises.

Mind the Environment

IT equipment contains material that is environmentally hazardous.

it-asset-disposal-and-compliance-issues

Federal – and most state – laws require businesses to go about disposal of computers and other electronics using particular methods. Violating disposal laws can lead to hefty fines, negative PR in the event it becomes public knowledge, as well as lasting environmental damage.

Lest your Forget about License Restrictions

Sloppy equipment disposal methods violate software licenses, and part of the aftermath is financial penalties.

As you probably are aware, software firms don’t allow for transfer of licenses when the machine the software is on changes hands, or disposed of. It’s easier to ensure you don’t inadvertently violate your license when your ITAM software keeps track of software licenses.

Check your Work

Make it a point of ensuring data is removed from any IT asset you may be retiring. This goes out for printers, copiers, fax machines, and any other equipment that holds data in memory.

After wiping and overwriting a machine’s drives, go ahead and try to recover the deleted files. There are various solutions on the market you can use to achieve this, and these tend to do a deep scan of the media device.

If the data has been wiped properly, the software should not be able to recover anything.

Alternatively, you can always outsource disposal services to a reputable company.

Share Button

No Comments Yet.

Leave a comment