For some reason, IT asset disposition is not spoken of in the same breath as other elements of IT asset management. Yet, this is an indispensable part of the cycle. Yet, assets contain data in them even when they are retired.
Why then, do many companies never list it a priority to enforce procedures that safeguard offline IT equipment?
The thing is, there seems to be a general perception that the process is not the hardest thing in the world: choosing a destruction vendor, tracking offline IT equipment, abiding by laws and regulations, and all that other stuff. After all, aren't disposal guys experts when it comes to chores like these?
Choosing a Destruction Vendor is 'Easy'
These days, businesses are spoilt for choice when it comes to choosing a destruction vendor. Thus, there is the perception that the service of IT asset destruction is one many vendors can pull off while looking at their smartphone and playing checkers at the same time. The vendor sends a team over, they destroy drives, and grant you a certificate before heading their way.
And the choice of selecting who to do business with doesn't seem a hard ask for many given IT asset recovery firms offer 'similar' services. It is thus issues like who is compliant or who has secure policies are never given any thought. With some businesses even of the view that the industry is unregulated and others looking for the best deal, it is easy to see why there could be misconceptions.
See, for some, it matters not how their drives are destroyed or what standards the recovery solutions firm doing it has. For them, the destruction was done, and at a cheaper price at that. As long as the pressures of a secure decommissioning process are not getting through to the managers, it's a job well done.
Managing Offline IT Equipment is 'Easy'
You would be surprised at the number of companies that never place enough emphasis on tracking offline IT assets, thinking it's an easy process.
However, this is a very important process organizations should not take for granted. Managing offline IT equipment securely and efficiently before they get to the destruction vendor is important because a lot of assets do get misplaced/lost along the way.
And even after the excess inventory is received and destroyed by the vendor, a certificate of destruction alone should not be misconstrued to mean every single asset that was meant to be destroyed was indeed destroyed. Actually, a good portion of data breaches trace their source from retired assets. It's thus advisable to choose a vendor whose processes are above board.
Regulation Compliance is 'Easy'
Surprisingly, data disposal has a lot of inconsistent practices despite the ample data security regulations already in place. It is argued that federal guidance tends towards 'examples' other than actual 'requirements'. This has led to the perception that satisfying audit and compliance is like taking candy from a baby because regulations can be bent. Easily.
The truth is though, keeping sensitive data away from unwanted eyes calls for a process guided by strict policies and procedures. You should ask yourself why more and more companies are experiencing data breaches after assets have gone offline. An asset disposition vendor who never takes the security issue too seriously is bound to get you into trouble.
It never is that easy (from choosing a responsible vendor to managing assets to vendor compliance), otherwise it wouldn't be an issue. Never forget that.