Those who are aligning their company’s IT policies with its overall risk management strategy can’t overlook its IT asset disposition (ITAD) program – how IT equipment is handled at the end of its life cycle. Lurking within a company’s ITAD program are chances for data breach, non-compliance with industry regulations, and environmental violation. All of these must be accounted for in a sound risk management strategy. How can your company avoid the risk inherent in the IT asset disposition process?
Risk Management Strategy 1: Choose a certified vendor for data destruction
Because a single data breach can cost a company thousands or millions of dollars from fines, legal fees, and bad publicity, data security policy is one area at which risk management teams are looking closely. For your ITAD program, minimizing the risk of a data breach means ensuring all sensitive data has been fully removed from your company’s IT assets before they leave your control. If your company partners with a vendor for data destruction, make sure that vendor is certified for data sanitization by a leading third-party organization. The National Association for Information Destruction (NAID) provides the only third-party certification that focuses exclusively on information security. Choose an NAID-certified IT asset disposition vendor to be sure it meets the highest standards for data security and the entire disposition process has been documented.
Risk Management Strategy 2: Choose a certified electronics recycler
Just because you have handed over retired IT equipment to a vendor to be recycled, it doesn’t mean your company’s responsibility ends there. If the equipment has been disposed of improperly and it can be traced back to your organization, your organization could be liable. Ensure low-risk IT recycling by choosing a partner certified for electronics recycling by R2/RIOS, e-Stewards, or both. There are just a few companies that have both certifications. These rigorous third-party audited certifications ensure environmental and health and safety compliance and industry best practices.
Risk Management Strategy 3: Get detailed reports for every disposition
Documentation is a necessary step to full compliance with your industry’s regulatory standards. For IT asset disposition, that means being able to document the disposition and data erasure/destruction status of each piece of equipment, generally by serial number, with all details the regulations require. Your ITAD vendor should be able to work with you to ensure your entire disposition process meets industry best practices and regulatory standards.
Risk Management Strategy 4: Make sure your ITAD vendor is covered
If something goes wrong in the ITAD process, you need to be sure your company is covered financially. The types of insurance your vendor should have include errors and omissions (E&O), environmental, and, especially, data breach. Don’t just take your ITAD vendor’s words for it that they’re covered with data breach and other important insurance policies; ask to see their certificates of insurance. This not only covers your organization financially, but it proves you vendor is committed to doing ITAD right and is willing to stand by its processes and organization.
Your ITAD program and your risk management strategy
If you’re planning risk management policy or data security policy at your organization, our “Guide to Minimizing the Risk of IT Asset Disposition” is an in-depth look at IT asset disposition as a hidden source of risk. It expands on the four above strategies for managing ITAD risk and discusses the benefits of integrating those best practices into an enterprise-wide IT asset disposition program.