Organizations often make the mistake of considering the disposal of hardware only when they are ready to discard equipment, if at all. Instead, they should plan for hardware disposal throughout the entire systems development lifecycle, from acquisition and testing through to operations. At the acquisition phase, for example, consider the cost and ease of disposal when scoring hardware and media.
Additionally, the Internet of things (IoT) creates an ever-increasing list of equipment which warrants consideration. The IoT gives conventional cameras, printers, and other equipment Internet connectivity, computing and data storage capabilities, and network connectivity. Disposal policies and practices cannot ignore these types of devices.
Failure to consider disposal early in the systems development lifecycle, or at all, increases the risk of improper hardware disposal, privacy breaches (and along with that, bad publicity and potentially hefty fines by privacy regulators), inadvertent disclosure of competitive information, and other risks.
Consequently, sanitization (or the rendering of data inaccessible by ordinary and extraordinary means), is often a necessary precursor to hardware disposal. Sanitization may also be necessary even if the hardware is being cascaded to another user within the organization. Because IT should assign users only the access privileges which they need for their roles and no more, sanitization will help to prevent unnecessary data transfer or access internally.
Many other factors impact sanitization and disposal decisions, including environmental law, the reusability of the hardware and the hardware’s media or recordable surfaces. For example, if a device has reached the end of its useful life and cannot be reused, it is best to destroy it, possibly by degaussing or demagnetizing the hard drive (where appropriate) and perhaps incinerating it.
For improved internal controls, it is essential to view disposal as a series of steps or processes which may eventually culminate in the discarding or transferring of hardware outside of the organization. Many of these steps apply even when hardware is redeployed internally, and include the following:
- Track assets and classify data by sensitivity – processes which track existing hardware, their useful lives, locations, user assignments, and the classification of data they contain, will increase the likelihood of secure hardware disposal.
- Backup information before sanitization or disposal – this ensures that the organization retains necessary and perhaps critical information which it may not be able to access elsewhere or recreate.
- Verify that sanitization was effective – sanitization may have been unsuccessful because of user errors or equipment failures. Where possible, verify on either a sample or 100% basis, that sanitization did in fact occur.
- Document and approve disposal decisions and methods – there needs to be an auditable trail to ensure that all steps were properly carried out, approved and recorded.
- Share information between departments – while the IT department may destroy or otherwise dispose of an asset, or sanitize media so that hardware can be redeployed, it may need to share information with other teams, for example the accounting department. In the case of a disposal, this will ensure that the fixed asset register (or IT Asset Log) is updated and reflects only those assets which the organization physically has. In the case of a redeployment, it will ensure that the register reflects the correct user who was assigned control of the asset.
Improve the controls surrounding the secure disposal of hardware, by selecting the appropriate sanitization methods based on the type and media composition of hardware, and after assessing:
- Data classification and the impact of unauthorized loss, disclosure or alteration of data housed on the hardware;
- Whether the hardware can be reused; and
- Whether the hardware will remain in the organization’s control.
One alternative is to retain the services of an IT asset disposition (ITAD) service-provider, particularly where the expertise or time required are unavailable internally. In that case, retain a reputable organization and develop internal controls over the activities of the ITAD service-provider.
Implement policies that support secure disposal, including asset tracking and disposal procedures and forms.
To create your policies, utilize the checklists, forms and other tools in Information Technology PolicyPro, including SPP IT 2.07 – Disposal of Hardware—which is updated in the upcoming release—all based on best practices including guidance from COBIT 2019 and the National Institute of Standards and Technology (NIST), Special Publication 800-88 Revision 1.
Policies and procedures are essential to the secure and efficient disposal of hardware, as well as other internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed with First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary in the areas of information technology governance and management, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Information Technology PolicyPro here.