• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Ensure secure disposal of hardware

By Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) | 4 Minutes Read September 4, 2019

Ensure secure disposal of hardware

disposal of hardware

Organizations often make the mistake of considering the disposal of hardware only when they are ready to discard equipment, if at all. Instead, they should plan for hardware disposal throughout the entire systems development lifecycle, from acquisition and testing through to operations. At the acquisition phase, for example, consider the cost and ease of disposal when scoring hardware and media.

Additionally, the Internet of things (IoT) creates an ever-increasing list of equipment which warrants consideration. The IoT gives conventional cameras, printers, and other equipment Internet connectivity, computing and data storage capabilities, and network connectivity. Disposal policies and practices cannot ignore these types of devices.

Failure to consider disposal early in the systems development lifecycle, or at all, increases the risk of improper hardware disposal, privacy breaches (and along with that, bad publicity and potentially hefty fines by privacy regulators), inadvertent disclosure of competitive information, and other risks.

Consequently, sanitization (or the rendering of data inaccessible by ordinary and extraordinary means), is often a necessary precursor to hardware disposal. Sanitization may also be necessary even if the hardware is being cascaded to another user within the organization. Because IT should assign users only the access privileges which they need for their roles and no more, sanitization will help to prevent unnecessary data transfer or access internally.  

Many other factors impact sanitization and disposal decisions, including environmental law, the reusability of the hardware and the hardware’s media or recordable surfaces. For example, if a device has reached the end of its useful life and cannot be reused, it is best to destroy it, possibly by degaussing or demagnetizing the hard drive (where appropriate) and perhaps incinerating it.

For improved internal controls, it is essential to view disposal as a series of steps or processes which may eventually culminate in the discarding or transferring of hardware outside of the organization. Many of these steps apply even when hardware is redeployed internally, and include the following:

  • Track assets and classify data by sensitivity – processes which track existing hardware, their useful lives, locations, user assignments, and the classification of data they contain, will increase the likelihood of secure hardware disposal.  
  • Backup information before sanitization or disposal – this ensures that the organization retains necessary and perhaps critical information which it may not be able to access elsewhere or recreate.
  • Verify that sanitization was effective – sanitization may have been unsuccessful because of user errors or equipment failures. Where possible, verify on either a sample or 100% basis, that sanitization did in fact occur.
  • Document and approve disposal decisions and methods – there needs to be an auditable trail to ensure that all steps were properly carried out, approved and recorded.
  • Share information between departments – while the IT department may destroy or otherwise dispose of an asset, or sanitize media so that hardware can be redeployed, it may need to share information with other teams, for example the accounting department. In the case of a disposal, this will ensure that the fixed asset register (or IT Asset Log) is updated and reflects only those assets which the organization physically has. In the case of a redeployment, it will ensure that the register reflects the correct user who was assigned control of the asset.

Improve the controls surrounding the secure disposal of hardware, by selecting the appropriate sanitization methods based on the type and media composition of hardware, and after assessing:

  1. Data classification and the impact of unauthorized loss, disclosure or alteration of data housed on the hardware;
  2. Whether the hardware can be reused; and
  3. Whether the hardware will remain in the organization’s control.

One alternative is to retain the services of an IT asset disposition (ITAD) service-provider, particularly where the expertise or time required are unavailable internally. In that case, retain a reputable organization and develop internal controls over the activities of the ITAD service-provider.

Implement policies that support secure disposal, including asset tracking and disposal procedures and forms.

To create your policies, utilize the checklists, forms and other tools in Information Technology PolicyPro, including SPP IT 2.07 – Disposal of Hardware—which is updated in the upcoming release—all based on best practices including guidance from COBIT 2019 and the National Institute of Standards and Technology (NIST), Special Publication 800-88 Revision 1.

Information Technology PolicyPro

Policies and procedures are essential to the secure and efficient disposal of hardware, as well as other internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed with First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary in the areas of information technology governance and management, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Information Technology PolicyPro here.

  • About
  • Latest Posts
Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)
Apolone Gentles is a CPA, CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.
Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)
  • Employee’s time theft revealed by electronic monitoring - February 2, 2023
  • Petty cash controls - January 4, 2023
  • Implement effective backup procedures - December 7, 2022

Article by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) / Business, Information Technology, Privacy / Apolone Gentles JD CPA CGA, COBIT 2019, degaussing, disposal of hardware, hardware disposal, Internet of Things, IoT, IT asset disposal, ITAD, managed assets - BAI09.03 Manage the asset life cycle, National Institute of Standards and Technology, NIst, sanitization, Special Publication 800-88 Revision 1

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA, CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy