March 2013

Enterprise ITAD Planning

How Enterprises can Create an IT Asset Disposition Plan that Manages Risk and Cost

By: James Griffin, LifeSpan

When you consider the overall costs and risks associated with IT asset disposition, the value an organization can get for its retired IT assets on the resale market is only the tip of the iceberg. The entire disposition process leading up to that is fraught with opportunities to waste money, time, and resources and expose your organization to unnecessary risk: the risk of non-compliance with industry regulations, the risk of data breach, the risk of an environmental violation. All of these carry the danger of added cost. The current average cost, for example, of a single data breach can be measured in thousands or even millions of dollars. Factor into that the cost of bad publicity for your organization and it’s clear: the risks are high.

Remarketing your IT assets will have less value if it’s not backed up by an actively managed and well thought-out IT asset disposition (ITAD) program.

Depending on its industry, an organization has to comply with any number from an alphabet soup of regulatory standards for data security: HIPPA/HITECH, PCI, SOX, FACTA, GLB. Generally, these regulations place a high value on data security and come down hard on organizations that let sensitive data leak. A good ITAD program will ensure that compliance, corporate security, and risk management policies and procedures are met. It will minimize the risk of any data breach and create auditable records for compliance and peace of mind.

How can you accomplish all those things?

Choose certified ITAD vendors

It only takes one drive to get through the disposition process with data still on it to cost your company a significant amount of money in fines and PR, and possible stock price. If your company trusts a vendor for ITAD and data erasure, make sure your trust is backed by knowledge and auditable records.

How much do you know about your vendor? Have you observed your vendor’s data erasure process? Have you visited its facilities? Do you know which data erasure tools it uses? Do you have reports that show every serial number and whether the erasure was successful or not? Have its employees received proper training and background checks?

That’s a lot to look into and it can consume a significant amount of time and effort to do so. Partnering with a vendor that has been certified by a third-party industry organization ensures that work has been done for you. In the realm of data destruction, one of the most reliable certifications to look for is from the National Association for Information Destruction (NAID). NAID provides the only third party certification that focuses exclusively on information security, and it performs both a scheduled and a surprise audit each year on the organizations it certifies.

NAID AAA certification is viewed as an industry-leading certification for data sanitization. If you use a NAID-certified IT asset disposition vendor, you can be sure that it meets the highest standards for data erasure and its entire disposition process has been documented.

NAID certifies its members for either or both plant-based and onsite data sanitization. For many organizations, onsite data sanitization is the preferred option. This is partly because of the peace of mind that can come from knowing the data has never left your facility. Some ITAD providers can accommodate that need with a mobile wiping system. A vendor certified by NAID for onsite data sanitization can bring a trained staff to your facility and perform data sanitization to the same level as can be accomplished offsite.

Physical destruction and environmental compliance

When is sanitization not enough for data security? Rarely. The physical destruction of data-bearing hard drives can be satisfying because it alters the drives beyond recovery in an immediately apparent way. However, all the major standards organizations in the U.S. and Europe accept proper data erasure as equal to the physical destruction of drives. This is especially important for optimizing the cost of IT asset disposition and maximizing investment return on the resale market because IT assets without hard drives can lose up to 30 percent of their remarket value.

On the other hand, erasure does cost money, so erasing data from equipment that won’t have resale value can be a waste. One method – erasure or destruction – does not fit all the possible disposition scenarios, even within the same organization. A data center decommission, a laptop refresh, or the shutdown of an office with old equipment might have different risk/cost ratios.

When drives are destroyed, the material needs to be disposed of in full compliance with all state and federal environmental regulations. Even if you have turned over equipment to a vendor to be recycled, if the equipment has been disposed of improperly and it can be traced back to your organization, your organization could be liable.

A certified vendor is the answer here, too. Look for either e-Stewards or R2/RIOS certified vendors.  There are a few that have both. These rigorous third-party audited certifications ensure environmental, health and safety compliance, and industry best practices.

Make a plan

There are numerous factors to consider when you’re looking to minimize the risk and cost of IT asset disposition, protect against data breach, and ensure your organization’s process is fully compliant with all regulatory standards.

The challenge of IT asset disposition is ensuring that every disposition, at every location, is done according to your corporate standards, and that the needs of every department with a stake in IT asset disposition are being met while minimizing the resources and hassle required to get it done. That challenge increases with the size of your enterprise.

A holistic approach to ITAD responds to that challenge by implementing an enterprise-wide program with specific roles and procedures for every link in the chain, recognizing the differences among the various departments and locations within an organization and tailoring the process to fit their needs and capabilities. This approach makes it as easy as possible for team members to do ITAD right, every time, for every location, reducing the risk factor significantly.

Whether your organization already has an ITAD plan in place or you are developing a brand new one, the first step toward an enterprise-wide holistic ITAD program is to assess your needs, priorities, and the current state of your ITAD program. Then you can analyze the gaps between your priorities and the actual process and its results. This will enable you to develop a plan of action and an improved process for the future.

Briefly, the steps in this self-assessment procedure are:

  1. Identify an interview all stakeholders. Who are the ITAD stakeholders in your organization and what are their priorities and concerns?
  2. Document the current state of the ITAD program. Before you can develop a new IT asset disposition program, it’s necessary to develop a complete understanding of what your current processes really are, and who is doing what.
  3. Document current vendors and contracts. If your company partners with vendors for data destruction, remarketing, or recycling, the success of your program depends on the ability and reliability of those vendors.
  4. Define goals for the ITAD program. These should be based on the interviews with stakeholders and should include a discussion of the trade-offs that have to be made based on overall priorities.

LifeSpan provides a guide to performing an IT asset disposition plan self-assessment, available for free on its website. The guide expands on the steps above with tips on the right questions to ask to get started planning for a low-risk enterprise-wide ITAD procedure.