IT Asset Disposition is Easy… Right?

June 12, 2014

I have been scratching my head trying to figure out why IT Asset Disposition isn’t spoken of to the same degree of importance as other elements of IT Asset Management.  It’s part of the asset lifecycle.  Assets still have data on them when they are offline.  Why isn’t it a top priority to implement procedures to safeguard offline IT assets?  From my experience, it’s because the perception is that it is easy.  From choosing a destruction vendor to tracking offline IT assets to complying with regulations.  Just like the cartoon lifting a heavy bar with one hand, IT professionals make it seem like they can handle these processes with ease.

Choosing a Destruction Vendor is “Easy”!

With the plethora of destruction vendors and IT disposal companies available, the perception is that the service of destroying IT assets is one a lot of companies can accomplish successfully.  And that the process is easy.  Somebody comes, destroys your drives, hands you a certificate of what they destroyed and everyone goes on their way.  With IT disposal companies offering ‘similar’ services, the choice of a partner isn’t based off of who has secure policies or is compliant (some even say the industry is unregulated), but rather who offers the cheapest prices.

And how easy is it to choose the cheaper option? Oh look, a car wash for $15 and a car wash for $10.  I am going to get the $10 one since they both clean my car!  People aren’t focused on how their drives get destroyed or what standards the company has, because in the end, the drives were destroyed and at a lower price than the other option. The companies that do focus on strict data security policies are getting pushed to the side by those that offer free recycling or more money back from scrap IT; and the stress of a secure decommissioning process is not getting through to the Directors or Managers.

ImageManaging Offline IT Assets is “Easy”!

I have also found that companies consider tracking offline IT assets an “easy” process.  Most companies rely on their ITAM vendor, by simply marking an asset as “Retired” for example, and their destruction vendor, by holding onto a Certificate of Destruction. Managing offline IT assets efficiently and securely prior to getting the destruction vendor is necessary to ensure that all assets arrive safely at the vendor.  However, companies receive a certificate of destruction from the vendor and trust that everything that was meant to be destroyed was done so. Even though a good percentage of data breaches are associated with retired assets, companies still are not implementing procedures to gain visibility into the process – from the time assets go offline to the point of destruction – because they believe an ITAM solution and the vendor’s COD can accomplish secure management.  I refer to relying on these two tools as the ITAD gap, and companies who perceive offline IT asset management as easy typically fall into this gap.  You can read more about the risks associated with the ITAD gap by referring to the “Mind the Gap” blog article

Complying with Regulations is “Easy”!

DestructData came out with a whitepaper recently, Simplifying Privacy Law and Data Sanitization Compliance, which goes into detail about the Federal Regulations applying to data sanitization and disposal of assets.   The theme of the whitepaper is that specific details about data erasure and destruction are not referenced in actual legislation.  Therefore, in order to comply with regulations, companies are following general guidelines.  “Most federal guidance is notably non-specific, tending towards ‘examples’ than requirements”.  Even with an abundance of data security regulations, data disposal holds a lot of inconsistent practices. As a result, the perception is that it is ‘easy’ to satisfy audit and compliance because regulations are flexible.  You can read the full whitepaper here: HERE

In reality, managing assets through their disposition process requires policies and procedures to ensure sensitive data does not get into the wrong hands.  Companies continue to experience data breaches after assets have come offline, supporting the need to safeguard offline IT assets and choose a destruction vendor that focuses on security.  If you don’t believe me, you can refer to my last blog article recapping the data breaches in 2013 and thus far in 2014, Data Breach Round Up, or you can visit the Department of Health Human Services and sort by “Improper Disposal”.  If you are looking to automate your offline IT asset workflow so that your IT Asset Disposition process is efficient and secure, truly “easy”, visit www.bandl.com.

Leave A Comment