When your company leases equipment, “disposing” of it is simple because you just return it. But the IT equipment your company owns is eventually going to break, wear out, or be replaced, and you need a plan in place to dispose of it legally, securely, and in a way that causes the least harm to the environment.
Disposing of old equipment must be done legally and effectively.
Some manufacturers have recycling programs that are part of the purchase process, and this helps with the “legal” and “environmentally responsible” parts of the process.But you still have to ensure that equipment is wiped of data before it goes out the door. There are also companies that specialize in sanitizing IT equipment and refurbishing it or reclaiming metals and other valuable products that can be reused. If you contract with one of these companies, make absolutely sure that the company offers secure data elimination services compliant with standards for data remanence developed by the National Institute of Standards and Technology (NIST) and other applicable laws like HIPAA (healthcare) or Sarbanes-Oxley (accounting).
Companies in the US are liable for compliance with recycling regulations under the Resource Conservation and Recovery Act even if they outsource the process. Before outsourcing, protect your legal standing by requiring:
• Audit trails
• Liability waivers
• Data destruction certificates
• Signed confidentiality agreements
Keep in mind that copiers, printers, all-in-ones, and fax machines may include hard drives that store recent documents. They can be just as susceptible to data theft as computers. Here are the steps you should take before retired IT equipment goes out the door.
1. Eliminate accounts and other access control associated with a piece of retired equipment. Failing to do this leaves more access opportunity for hackers.
2. If you’re not contracting with a company that meets NIST standards for destroying data, you have to destroy the data yourself. Encrypt the data on the drives and then use secure erasure software to securely delete everything. And don’t think that smashing hard drives rids them of data. This mistake caused big trouble with personal health data in the UK last summer.
Even hating a piece of equipment with the intensity of 10,000 suns won’t wipe the data from the hard drive.
3. Use IT asset management software to keep track of every single piece of equipment, even after it leaves the premises. Keep records of who decommissioned the equipment, and who was responsible for sanitizing the hard drives, whether it was done by your organization or outsourced. Don’t delete the records just because the equipment is gone. Audit trails can protect you should equipment turn up under unusual circumstances, like if recycled equipment ends up being sold to someone who uses it for criminal purposes.
4. Use checks and balances to make it obvious which systems have been fully decommissioned. For example, you should have separate physical locations for equipment that’s slated for decommissioning or is only partially decommissioned, and for equipment that has been fully sanitized and decommissioned. This ensures that nothing goes out the door without having been fully decommissioned and retired, with IT asset management records reflecting this.
5. Keep names associated with your IT asset management records. Records should show that a particular laptop, for instance was used by Karen in accounting from when it was purchased until mid-2012, when Karen upgraded and the laptop went to Matt the intern, who used it until it was decommissioned. Documenting the chain of custody until the equipment is picked up helps ensure security is not breached at any point along the line.
About BYOD Equipment
Include BYOD equipment in your IT asset management system. Any device that connects to your network or is used with company data needs to be part of your IT asset management system. BYOD can be great for employees, but they need to clearly understand rules about network use, which apps they can use at work, and what to do if their device is lost or stolen. Even if your IT service desk isn’t required to support devices, your IT asset management system should keep track of them to prevent security breaches.
You wouldn’t think it would be so complicated to essentially throw something away, but security and environmental concerns require responsible retirement of IT equipment. Samanage makes IT asset management software that’s cloud hosted and quick to deploy, with a range of features that let you track every single hardware and software asset from the time it’s ordered until it leaves your facility at the end of its lifecycle. With great IT asset management software like Samanage, you won’t be tempted to cut corners and risk a data breach or environmentally irresponsible disposal of IT assets.