Tracking IT assets begins when an order is placed and doesn’t end until the asset has been destroyed, recycled, or otherwise removed from your organization.
But disposing of IT assets isn’t as simple as taking your old Compaq from 1996 to Goodwill.
A recent SearchDataCenter.com survey found that while most survey participants’ organizations had formal policies for secure IT asset disposition, 46% said their organizations experienced significant compliance gaps. Here are some considerations for closing compliance gaps, and for protecting your organization, your data, and the environment.
Most organizations outsource incineration, for obvious reasons.
Know Applicable Privacy Laws
If your business is bound by regulations like HIPAA, HITECH, or Gramm-Leach-Bliley, you must ensure all IT asset disposal procedures are compliant. National Institute of Standards and Technology (NIST) Special Publication 800-88 spells out best practices for preparing IT storage media for disposal. The three main types of processes are clearing, purging, and destroying.
• Clearing requires overwriting storage space with non-sensitive data, but this is not sufficient for damaged media or that which cannot be overwritten.
• Purging includes processes like degaussing and using the firmware Secure Erase command for ATA drives. Degaussing is acceptable for damaged media.
• Destroying processes include disintegration, pulverization, melting, or incineration. Obviously, these processes are outsourced to organizations with the proper equipment and safety procedures.
Be certain to check privacy laws in your state as well. For example, California companies are legally prohibited from sending electronic equipment to domestic or foreign landfills.
Be Kind to the Environment
IT assets typically contain environmentally hazardous materials. Federal laws, and laws in most states require businesses to dispose of electronics using specific methods. Violations of disposal laws can not only result in hefty fines (and reputational damage should the press find out), but cause lasting environmental damage.
Protecting organizational data is a chief concern during disposal of IT assets. Should someone find discarded IT equipment, he or she could mine it for financial or personal information, or for valuable intellectual property. In 2013, the National Health Service in the UK neglected to follow through with a company contracted to dispose of IT equipment, and an ordinary consumer was able to purchase a machine that contained over 3,000 patient records.
Data breaches can be devastating, resulting in reputational damage, fines, criminal charges, and loss of revenue. Your IT asset disposal procedure must include provisions for securely erasing data before an asset leaves the premises.
Don’t Forget About License Restrictions
Is there any worse way to spend a workday than making an auditor happy?
Lax hardware disposal methods violate software licenses, and financial penalties can result. Software companiesgenerally don’t let you transfer licenses when the computer the software is transferred (or disposed of). When your IT asset management software tracks software licenses, you’ll have an easier time ensuring you don’t inadvertently violate licenses.
Mechanical, Solid State, and External Drives
For equipment that still functions, you need accredited erasure software that meets the government’s data erasure standards. It should not only wipe data, but provide an audit trail and verify that the data is irrecoverable. For nonfunctioning equipment, degaussing can be used to erase any data remaining on the equipment.
Mechanical hard drives have to be overwritten to make data irrecoverable. Simply deleting the data isn’t enough. Internal solid state drives use a feature known as TRIM that not only deletes files, but also erases the file’s data from memory cells. TRIM ensures that files you delete from internal solid state drives cannot be recovered. External solid state drives, however, are a different story. These have to be overwritten, as do SD cards, USB thumb drives, and other removable media.
Check Your Work
You need to make sure data is removed from any IT asset you’re retiring (including fax machines, copiers, printers, and other devices that hold data in memory). Once you’ve wiped and overwritten a machine’s drives, try to recover the deleted files. You can buy software made to recover mistakenly deleted files. Typically, the software will offer a “deep scan” function, which you should use. Deep scanning is slower, but it’s more likely to find pieces of deleted files. If a drive has been wiped properly, the software should not be able to find recoverable files.