Summary: Technological evolution is pushing the boundaries of IT assets and making them obsolete. To keep up with these advancements, organizations are disposing of IT devices at a rapid pace. However, the secure disposal of these assets remains a point of concern as many organizations don’t have an IT destruction policy for implementing this disposal. In addition, arising environmental concerns from e-waste are also severe. This article will provide key points that organizations must consider before disposing of IT assets, the importance of secure disposal, and how to achieve secure IT asset disposal.
Organizations store lots of critical and sensitive information on their IT assets, and they have dedicated resources and policies for protecting that information. However, most organizations lack an end-of-life destruction plan for securely disposing of IT assets, which is a worrisome trend. Securely disposing of IT assets is necessary not only for protecting the data but also for environmental sustainability. As the data storage realm expands to include more devices like mobiles, notepads, tablets, etc., so does the scope of secure disposal. Understanding the risks of improper disposal and the benefits of secure disposal can be the stepping stone for an organization looking to formulate its IT asset disposal policies.
What To Consider When Retiring IT Assets?
Several factors must be considered before beginning secure IT asset disposal, and understanding them will help organizations formulate their disposal policies:
Data Security: Protecting sensitive and confidential information is vital for businesses. Securing the data on IT assets before disposal is the first step that organizations must consider.
Asset Value: Cost analysis of IT assets is significant, and retiring the assets when they have maximum residual value should be considered when devising disposal policies.
Implementation: IT Asset Disposition (ITAD) is the safe and secure way for the disposal of used IT assets. Organizations must decide how to implement it in-house (onsite data destruction) or through a managed service provider or ITAD vendors (offsite data destruction).
Chain of Custody: The IT assets marked for disposal must have a secure chain of custody from when the asset is identified to its actual disposal documenting each stage and person involved.
Environmental: Before disposing of IT assets, the organization must consider the international e-recycling standards (viz. NAID AAA, e-stewards, Basel Convention, SERI’s R2v3, etc.) that must be adhered to and choose methods that align both with the concept of circular economy and monetize the residual value of used IT assets.
Why IT Assets Need to be Securely Disposed?
Considering the information stored on IT assets, data security and confidentiality, secure disposal of IT Assets has become a necessity for organizations. Let’s look at the factors that mandate secure disposal:
Compliance: Data protection and privacy laws mandate the protection of sensitive and personal information. All data must be destroyed before the assets leave the organization or change hands to safeguard against threats that may arise from unsafe storage, dumpster diving, and unintentional data leakage.
Prevent Data Leakage & Breaches: Secure data destruction of PC, Laptops, Mac, and other storage devices ensures that no data is retrievable even through forensic methods and prevents confidential data from leakage. Organizations can prevent data breaches and penalties imposed due to leakage of information from their own facility or from a third party / ITAD facility. You may like to read our earlier published blog citing the Morgan Stanley data breach episode.
Sustainability: E-waste is a major environmental concern due to improper disposal in landfills, where harmful chemicals from these assets seep into and pollute the environment. The elements used in these IT devices can be recycled and reused, which will lessen the strain on the environment that mining puts on. E-waste reduction and recycling will promote sustainability and responsible reuse. Organizations must strive toward achieving sustainability and address environmental concerns.
Monetizing Residual Value: Reusing, Reselling or donating used IT assets can also help businesses monetize residual value from the used IT assets. Storage devices that the organization feels are outdated can be valuable for schools, smaller organizations with limited budgets, NGOs, or countries with limited IT resources. In addition, it can act as a great CSR initiative toward society.
Protects Brand Value: Data leakage can be detrimental to an organization’s brand value, affecting it adversely. Customers tend to trust a brand less that has incidents of data breaches; it also makes investors lose confidence. While on the other hand, organizations that implement go green initiatives and help protect the environment are viewed positively, boosting customer trust.
How To Perform Secure IT Asset Disposal?
Several ways can ensure that IT assets are securely disposed of, and implementing them in the IT asset disposal policy can be beneficial:
Data Sanitization: It is the process of completely wiping data from storage devices, rendering it reusable and making data recovery impossible. We have already discussed this process in our article on Data Sanitization citing the importance, and recommended methods as described in the NIST SP 800-88 r1 (NIST Clear, Purge, and Destroy). Destructing & shredding storage devices should be a last resort, considering the environmental implications. Organizations today prefer software-based sanitization with data wiping tools like BitRaser, Certus software, YouWipe, etc. Being NIST approved and tested, Professional data sanitization software like BitRaser is an ideal solution for ITADs & Refurbihers looking to perform bulk erasure on multiple storages and mobile devices.
Documented Sanitization Policy: Organizations must have a documented data sanitization policy that outlines each step undertaken during the data sanitization process. This policy provides well-defined standard operating procedures for disposing of IT assets. A well-documented data sanitization policy outlines the method used to sanitize media devices, personnel responsible, device type, and secure data erasure standards to ensure permanent and fail-safe erasure. The standard of data wiping must be used based on prevailing federal laws. It also ensures proper asset tagging of devices that have been wiped to ensure no device leaves the organization that has any residual data left on it.
Onsite Destruction or Third Party Services: Organizations depending on their size and IT inventory, should choose whether to do the IT disposal in-house or to outsource it. Smaller organizations can choose to sanitize the media devices within the company and then sell or donate, but for larger organizations outsourcing it to a certified ITAD or refurbisher is a better choice. ITAD companies have the expertise and resources needed for bulk disposals. These ITADs can devise strategies to gauge the health of the IT assets and recommend further steps to maximize asset value. Organizations must consider a few crucial aspects before settling on the ITAD, like the certifications they possess like e-stewards, WEEE, R2V3, etc., and whether these ITADs employ environmentally sustainable ways. In addition, the cost analysis of doing in-house and outsourcing data sanitization must be justified.
Conclusion:
The importance of securely disposing of IT assets cannot be denied, and organizations must prepare for it in advance, ideally when deploying new hardware. Rising environmental concerns from improper disposal are a sore point; with only 17% of IT assets being recycled, it poses a severe threat. In addition, evolving data storage mediums and concepts like BYOD (Bring Your Own Device) and increased utilization of mobiles and other devices in organizations will require stringent policies for securely disposing of IT assets. Finally, cases like the class action suit on Morgan Stanley for data disclosure due to faulty IT asset disposal highlight the need for organizations to formulate, adopt and exercise robust IT asset disposal policies.
