Summary: IT Asset Management professionals (ITAM) play a key role in managing and safeguarding an organization’s IT assets. ITAMs are responsible for overseeing the IT Asset Disposition (ITAD) process in an organization. This blog will explore some of the best practices that ITAMs can follow, implement and adopt for secure IT asset disposal and the benefits associated with them.
IT Asset Disposition (ITAD) process ensures that old, obsolete, and end-of-life devices are securely erased before being disposed of, repurposed, or sold. The importance of ITAD has grown significantly post-data protection law enforcement globally and is poised to reach greater heights with the enactment of data privacy regulations like GDPR, CCPA, VCDPA, CPA, etc. Therefore, a company’s IT Asset Manager must ensure that the organization follows best practices while disposing of IT Assets and follows applicable local, state, and federal rules and regulations.
Best Practices that ITAMs should Follow for IT Asset Disposal:
Here are the best practices for IT asset disposition that ITAMs can follow to mitigate threats of data leakage and breaches:
- Develop a Clear Data Destruction Policy: ITAMs should create a clear and detailed ITAD policy that outlines the procedures and guidelines for disposing of IT assets responsibly and securely. The policy should cover areas such as data security, environmental considerations, and legal requirements.
- Manage and List inventory of IT assets: Before disposing of IT assets, ITAMs should perform a thorough inventory of all IT assets to ensure that they are accounted for and that no sensitive data is left on the devices.
- Device Audit to Identify Storage Type: IT Asset Managers (ITAMs) should know the various media types that comprise a device before selecting the proper data destruction procedures. For Example, A PC may have SSD and HDD; while an HDD can be degaussed, degaussing is unsuitable for SSDs. ITAM may be required to erase the SSD using a suitable data erasure tool like BitRaser.
- Perform Secure Erasure & Not Rely on Native Read/Write Interface: Read and write commands issued through the device interface may not overwrite all areas on the storage media. For Example, these memory locations could include remapped sectors or Host protected areas and may not be wiped using the native erasure method. ITAMs should therefore ensure that all data is securely erased from IT assets using data erasure software or physically destroying the storage media in case the device is inaccessible.
- Sanitization According to Media Type: ITAMs must ensure that their data destruction policy should provide precise guidance to destroy the data based on the media type. Further, it can define specific protocols to destroy the different data types based on the sensitivity levels and security categorization.
- Avoid Degaussing in Modern Magnetic Media: Degaussing may have been an effective technique in older hard drives, but it faces inherent challenges in sanitizing the emergent magnetic storage media. For starters, emerging magnetic storage systems have higher coercivity, making conventional degaussers unable to demagnetize them to achieve data annihilation properly.
- Use Cryptographic Erase (CE) with Discretion: Cryptographic erase is a powerful way of sanitizing self-encrypting disks by erasing the media encryption key (MEK). However, it is important to note that cryptographic erase is not foolproof and may not be completely effective in all cases. Also, CE is not to be used if encryption was enabled after storing data on the device or if you suspect the existence of encryption keys elsewhere.
- Perform Full Media Sanitization: Partial media sanitization is typically used when it is not necessary or desirable to erase all data on a storage device. For Example, ITAM may want to erase only the user’s files from a laptop while leaving the operating system and other system files intact. However, in partial media sanitization scenarios, there is no definite way to ensure that all the sensitive target data is effectively destroyed; hence it is recommended to perform full media sanitization.
- Erase All Drives: It is the best practice to erase all drives before handing them over to any third party, such as resellers, IT asset destruction vendors, e-recyclers, charities, etc. Erasing all your drives eliminates the chain of custody risks. Furthermore, erasure protects the warehoused IT assets from any potential danger of hardware theft and data leakage.
- Verify Erasure Results, Equipment & Personnel: Efficacy of every data destruction process is guaranteed through verification. It is done by reading all accessible memory locations or performing representative sampling of pseudorandom locations on media and verifying the results. NIST SP 800 88 recommends in section 4.7.3 that a full verification should be performed if time and external factors permit.
- Data Destruction Proofs: You must obtain and keep a verified certificate and record for each data destruction conducted. These documents act as audit trails and assist you in complying with data protection requirements. Maintain these documents in an easily accessible and shareable format so they may be reproduced as proof in an emergency.
- Choose a Reputable ITAD vendor: ITAMs should choose a reputable and reliable ITAD vendor to handle the disposal of IT assets. In addition, the vendor should comply with relevant laws and regulations and have a proven track record of handling IT assets responsibly.
- Due Diligence While Hiring 3rd Party: Lapses on the data destruction vendor side can lead to massive data breach episodes that may result in huge penalties and non-compliance with laws and regulations. You must gather evidence like certifications for the vendor performing data destruction and check the historical record before onboarding a vendor.
What Are The Benefits of ITAD Best Practices?
ITAMs can derive several inherent benefits from implementing ITAD best practices, such as:
- Data Security & Brand Protection: By following ITAD best practices, ITAMs can ensure that sensitive data is securely erased from IT assets before disposing of them, thereby protecting the organization’s data from unauthorized access or misuse. A single data breach episode can have catastrophic financial and legal ramifications with a loss of trust and confidence in the brand value.
- Maintain Compliance: ITAD best practices help ITAMs ensure that the organization complies with relevant laws and regulations related to IT asset disposals, such as data protection and environmental laws.
- Protects Environment & Achieve Sustainability: Reuse, Repair, Reutilize, and Recycle are vital cogs for a sustainable economy, and data destruction on data-bearing electronic devices ensures that they can be repurposed, resold and safely disposed of, thereby reducing the environmental impact of e-waste and protect the environment.
- Ensures Permanent Destruction: ITAM can rest assured that their devices are securely wiped and cannot recover even in laboratory settings.
- Reduce Data Breach Risks: Erasing ROT (Redundant, Obsolete, or Trivial), dark, unstructured data from devices reduce the attack vectors that hackers use to gain access to a device. It also reduces the impact of a data breach as data is erased permanently.
- Prevent Hefty Fines and Penalties: Regulations like GDPR, California’s CCPA, South Africa’s POPIA, or Canada’s privacy law all mandate implementing safeguards for data security and have provisions for hefty fines and penalties for episodes of data breaches or not honoring customer’s data removal requests. Furthermore, federal bodies like SEC (Securities & Exchange Commission) and federal laws like FACTA (Fair and Accurate Credit Transactions Act) and SOX (Sarbanes-Oxley Act) also have provisions for huge fines for erring companies.
- Peace of Mind: Permanent data destruction means that you no longer have to worry about threats of data leakage and breaches.
Learning Curve For ITAMs
IT asset managers are essential in preventing data breaches and can assist their firms in preventing costly and devastating data breaches by following the best practices mentioned in this blog. IT asset managers can keep their businesses secure by keeping track of all assets, ensuring that only authorized individuals have access to critical data, and routinely assessing system security.
