End of Life IT Asset Security
We want to pose a question here: Have you really given any thought to the risk of information security breaches at your company or organization? This has become a huge concern especially for large enterprise organizations, but small and middle market firms need to be cautious as well. While everyone today is freaking out about being hacked and having valuable information leaked, stolen or held up for ransom, a larger concern – often ignored – is what happens to your data at the end of life of your IT equipment? More and more we are learning about information leaks coming long after equipment has been retired and no longer in use.
Great care and consideration should be given to your retired IT assets, perhaps as much as – or more than – your active assets. Most companies don’t think about setting aside any budget for retiring their IT assets in a safe and proper manner. Dumping the old IT equipment at a scrap company or offering it to employees who want to take the equipment off a company’s hands, is definitely not the answer! What happens to all of the data, personnel information, health records, proprietary information, and the like, that are stored on that equipment? You are opening your company up to a security breach and liability never imagined.
Today every company should establish a formal procedure for handling end of life IT equipment with a trusted processing partner…someone that is certified, can help you prepare for the EOL and set up guidelines for the company to follow. Included in this should be an asset inventory report, and a documented list of all equipment that is being removed from the premises. You should then receive a certificate stating how each piece of equipment was ultimately disposed of.
In some instances old IT equipment can be repurposed – known as remarketing – and if this is the case, ask your vendor if there is some compensation back to the company, either in a payment or credit towards future work done. If this is a possibility, agree upon it and negotiate your compensation at the outset of the relationship.
Be sure that you understand exactly how your information is going to be destroyed, and how the devices will be processed and disposed of. There is a cost for disposing of IT equipment properly, so be very leery of vendors who offer to take old equipment off of your hands for free. They are most likely not very reputable and therefore your data can be exposed to breaches that could come back to haunt the company.
When everything has been disposed of, you should expect an itemized and certified document from your vendor of everything that was removed and how it was disposed of.
So consider the cost and the liability if your old IT assets that are not handled correctly at EOL. While you are spending money and time to protect your company from outside hackers, it is also important that you pay close attention to the attacks that can come from what you hand over to others for processing. This should be part of an overall security program concerning all IT assets.