Protect Your Business From Data Breaches
In the past few years, we have seen major companies losing control of their data, often by hackers getting into their computer networks, but businesses are also vulnerable when disposing of their old or obsolete IT assets.
The process of retiring and disposing of corporate technology is called IT Asset Disposition, or IT Asset Disposal—ITAD for short.
Most companies hold large quantities of data relating to employees, suppliers, and customers, including highly sensitive health and financial records. For employees, the information will often include medical history, social security numbers, and bank details as well as email and home addresses.
To prevent the loss or misuse of this confidential information, there are a few steps that can be taken when equipment reaches the end of its useful life. Here are five of the most important actions you can take:
1. Create an Audit Trail for IT Asset Disposal
From the moment that an electronic device is declared redundant, you must record each step taken and move made so that you have a detailed chain of custody to prove that all appropriate actions were taken and that at no time was the information stored on the equipment in jeopardy.
Whether the record is manual or achieved using barcodes and tracking labels is less important than actually making the effort to document everything.
2. Secure the Asset
Old equipment should not be left in situ or put into a general storage room. It should be consigned to a secure location and tagged with all the relevant information concerning its provenance. In most cases, the device will already be recorded in the company’s asset register and will have a barcode containing the make, model and serial number; date of purchase; tracking number; IP address, and other vital information.
The custodian responsible for removing the asset to a secure location must also be recorded and it is obvious that the task should only be entrusted to someone who is eminently trustworthy.
3. Arrange Secure Disposal
In a corporate environment, IT equipment disposal will not be handled in a piecemeal manner. Very often a decision will have been taken to change out a whole generation of equipment updating it to more modern versions. In other cases, it could be the upgrading or a computer center or data storage system that creates the need to dispose of old equipment. However it comes about, the need generated is the same: to find a reliable recycling company to handle the disposal. If the devices are not too old they may also have a resale value that can be realized in the asset disposition process.
It is important to make sure that any company offering IT asset disposal services is certified to an industry standard and that they can destroy data stored on the devices and provide a Certificate of Data Destruction.
4. Destroy All Stored Data
Before the physical disposition or destruction of the equipment, it must be thoroughly cleaned of all sensitive and confidential information. It is not sufficient to delete the data, or to reformat the disk—even if the data are overwritten with random information they can still be recovered with advanced forensic techniques.
There are a number of ways of destroying data beyond recovery, the most secure being the shredding of the disk or the physical destruction of other storage media. Alternatively, if the device is to be repurposed or resold, degaussing is the preferred method. This works by subjecting the recording media to a strong magnetic field, thus disrupting the digital patterns that were created to store binary information on the surface of the disk or tape.
Once the process of destroying the data is complete, recycling companies offering secure IT asset disposition services should provide a Certificate of Data Destruction, guaranteeing that none of the previously recorded information is recoverable.
5. Reconcile Records and Accounting Information
The final step in the IT asset disposal process is updating the IT equipment inventory with details of the disposition and reconciling the accounting records. The inventory should show the end of life details for the device, including the date and manner of disposal and any value realized..
The accounting records will need to adjust depreciation and the fixed assets register and record any financial transaction made as part of the disposal process.
The steps outlined here are not a comprehensive review of the complete IT asset disposal process but are intended as a reminder of the importance of securing obsolete assets and ensuring that there are no unintended consequences or data breaches as a result of their disposition.