What are The Best Practices for IT Asset Managers when disposing of IT assets?

Summary: An IT asset management professional (ITAM) is a vital part of an organisation’s operations, and they play a leading role in ensuring that the organisation’s IT assets are properly disposed of. This blog aims to provide a variety of effective practices that IT Asset Managers can adopt to ensure that their organisation’s IT assets are secure.

The process of IT asset disposal (ITAD) ensures that end-of-life devices and old technology are securely erased before they are sold, repurposed, or reused. Due to the rise of data privacy regulations, such as the GDPR, CCPA, VCDPA, CPA, POPIA, etc, the importance of ITAD has become more prevalent. In addition to following best practices, an organisation’s IT Asset Manager should also follow applicable federal, state, and local regulations when it comes to disposing of its IT assets.

Best Practices that ITAMs should Follow for IT Asset Disposal:

These are the best practices for managing the disposition of IT assets to minimize the risk of data breaches and leaks.

  • Data Destruction Policy: A clear and comprehensive ITAD policy is important to ensure that the organisation’s IT assets are properly disposed of. It should cover various aspects such as data security and environmental considerations.
  • Manage and list all IT assets inventory: Before the disposal of IT assets, an IT Asset Manager should have a comprehensive inventory of all of the company’s equipment. This will help ensure that the devices are secure and do not contain sensitive data.
  • Device Audit to Identify storage type: Before implementing data destruction procedures, an IT Asset Manager should also thoroughly inspect the media types included in the device. For instance, if an organisation has a hard disk drive (HDD), it can be degaussed to ensure that it doesn’t contain sensitive data. However, an organisation with a solid-state drive (SSD) should be erased using a tool such as BitRaser.
  • Perform Secure Data Erasure & don’t rely on Native Read/Write Interface: One of the most important steps that an IT Asset Manager should take when it comes to implementing data destruction procedures is to avoid relying on the native read/write interface. This method can’t completely wipe the entire storage media. For instance, if the device is inaccessible, the data may be stored in sectors that are remapped or Host protected. This means that all data should be physically destroyed or erased using data erasure software.
  • Sanitize devices according to Media Type: An IT Asset Manager should also ensure that its data destruction policy provides clear guidance on how to destroy the data depending on its media type. This can be done by implementing specific protocols that are based on the security level and sensitivity of the data.
  • Avoid degaussing modern magnetic media: Although degaussing is an effective technique for older hard drives, it can also be very challenging to properly destroy the newer generation of magnetic storage media due to its high coercivity.
  • Use Cryptographic Erase (CE) with discretion: One of the most effective ways to properly destroy self-encrypting disks is by using a tool known as Cryptographic Erase (CE). This method can be used to remove the media encryption key (MEK) in order to prevent unauthorized access to the data. However, it should be noted that this method is not always effective and can be very risky.
  • Perform full media sanitization: Partial media sanitization is commonly used when it’s not feasible to completely remove all data from a device. For instance, if an organisation wants to remove only the files of a user from a laptop, this method might not be feasible. In partial media sanitization, there’s no guarantee that the target data will be completely destroyed. Therefore, performing full media sanitization is the recommended method.
  • Erase all media drives: Before transferring IT assets to third parties, such as e-recycles, charities, and resellers, it’s important that the drives are erased completely. This method can help minimize the risks associated with the storage of sensitive data. In addition, it can protect the warehoused IT equipment from hardware theft.
  • Verify Erasure results: In order to guarantee that the results of the data destruction process are reliable, full verification is performed. This process involves reading the entire device’s accessible memory locations and performing a representative sampling of the pseudorandom locations on the media. According to the NIST SP 800 88, full verification is required if external factors or time permits.
  • Data Destruction certificates: Before implementing data destruction procedures, it’s also important that an organization has a verified record and certificate. These documents can help comply with data protection regulations and provide an audit trail for the entire process. Having these documents in a convenient and shareable format can be used in an emergency.
  • Choose a Reputable ITAD vendor: Before choosing an IT asset disposal vendor, it’s important to ensure that they have a good track record of handling the disposal of technology assets. They should also be able to comply with relevant regulations and laws.
  • Due diligence on ITAD vendors: When hiring a third party to handle data destruction, it’s crucial to conduct due diligence on the vendor’s track record. Failure to do so can lead to significant penalties and legal issues. Having the necessary certifications and historical records can also help prevent unauthorized access to the data.

What Are The Benefits of ITAD Best Practices?

  • Data Security & Brand Protection: IT Asset Managers can help protect their organisation’s Brand and data by following best practices when it comes to data security and disposal. This can help prevent unauthorized access and misuse of the data. A single data breach can have a catastrophic impact on an organization’s financial and legal situation.
  • Maintain Compliance: ITAD best practices can help IT Asset Managers keep track of their compliance with various regulations and laws related to the disposal of their equipment.
  • Protects Environment & Achieve Sustainability: The ability to reuse, repair, and recycle electronic devices is a vital component of a sustainable economy. Data destruction helps organisations reduce their environmental impact and improve their operations.
  • Ensures permanent data destruction: IT Asset Managers can be assured that their devices will be securely destroyed and cannot be recovered even in the laboratory.
  • Reduce Data Breach Risks: By eliminating the ROT (Redundant, Obsolete, or Trivial), dark, unstructured data from devices organisations can reduce the risk of data breaches. It can also help prevent unauthorized access to the data.
  • Prevent hefty fines and penalties: Several international regulations, such as the European Union’s General Data Protection Regulation (GDPR), South Africa’s POPIA, and Canada’s Privacy Act, require organisations to implement measures to protect the privacy and security of their customers’ data. These regulations also have provisions for large fines for violations of data security and failure to honor requests to remove personal information.
  • Peace of mind: The ability to permanently destroy data eliminates the worry of data breaches and leakage.

In addition to being able to prevent data breaches, IT asset managers also play a vital role in keeping their companies secure. They can help prevent unauthorized access and use of their data by regularly assessing their systems and keeping track of all their assets.