Eventually, the lifecycle of all of your IT hardware assets will run its course. Before the era of data theft, intellectual property rights, and data storage compliance regulations, IT departments regularly just tossed hardware into the trash bins or dumped it into the nearest landfill. That’s no longer acceptable. At the minimum, dumping equipment intact invites theft of your sensitive corporate data, and at worse it puts you at odds with laws that protect the rights of customers whose data is stored on the machines. Here are some helpful tips for retiring hardware legally and safely for all involved.
1. Create a Log or Checklist to Document the Entire Decommissioning Process
The IT service desk needs to establish a log book that centralizes all of the information on decommissioned IT assets. The log should include the identification of all destroyed equipment, what date it was decommissioned, and the exact process taken during the process. Also, provide a checklist of what needs to be done according to company policy and compliance regulations. This assures that the workers charged with the process don’t forget anything. Those oversights can come back to haunt you later.
2. Make Sure of the Identity of the Asset
Before doing anything, double-check the identity of the hardware to be destroyed. If you have an IT asset management system in place, this should be easy. Make sure it is the right piece of equipment and include who the user(s) were in your log book. This assures that you know exactly what types of data were stored on the machine, since you know the user’s access level and job title. This is your proof later that the equipment was indeed disposed of according to company policy and the law.
3. Make Sure Critical Backups are Done
Before you virtually or physically destroy the machine, make sure the data is backed up and stored properly. This assures that you don’t lose any critical or proprietary information, such as employee records or documentation needed to file the company’s taxes. A backup also serves as proof of exactly what data was on the machine that was destroyed.
4. Disable Network and User Access
Old user IDs are a threat to the organization, both in the event that old employees can get back into your systems, and in the event that hackers get hold of an old IT and begin to launch an internal attack. Disable the user’s access and remove the IT asset from the internal network.
5. Run Sanitation Software
Sanitation or data scrubbing software is available. It is important to invest in enterprise-grade software and not the commercial stuff available to consumers. This process needs to be done by someone who knows what they are doing, because the process might require multiple scrubbings, and it is important to audit the equipment between scrubbings to assure all the data is gone.
6. Consider Physical Destruction of the Asset
Of course, the best way to assure no one can ever access that data again is to demolish the hardware asset. Some companies specialize in this and operate destruction facilities that are equipped with industrial shredders and other crunching, smashing, and demolition machinery. The advantage of using such a service is that these professionals usually make detailed logs of their decommissioning processes. The downside, of course, is that it is usually more expensive than having one of your own workers do it on site.
So long as you have properly logged, backed up, scrubbed, and destroyed the hardware asset, there should be nothing left to haunt you later on.