ITAD security: Six Key Considerations

By Steve Hollingsworth, Director, Covenco

The practice, process and means of discarding IT hardware is referred to as IT asset disposition (ITAD). Companies face legal and compliance restrictions that mean the data stored on computers, devices and other physical assets risk becoming a liability in the absence of an audited process.

Organisations must be certain that its selected ITAD service provider will remove data, and securely and safely discard end-of-life IT assets as new methods of data protection are becoming increasingly crucial for business owners. Yet, the necessity to safely remove data from any IT asset when it is collected for disposal has only recently begun to be recognised by businesses. This need has been fueled by recent European and US legislation, including the General Data Protection Regulation (GDPR).

A data breach’s financial, legal, and reputational repercussions are well known amongst those responsible for data within an organisation. Steve Hollingsworth, Director, Covenco outlines six key considerations for how every business that collects, stores and processes data should always protect it, including when the time comes to dispose of hardware and data-bearing assets.

1. Ensuring data destruction is executed effectively

ITAD data destruction procedures are 99.999 percent effective when carried out correctly, a percentage acceptable even for the UK HMG Infosec Standard No. 5, the German Federal Office for Information Security (BSI) and the U.S. Department of Defence.

Software can enable an organisation to sanitise its own data – or even destroy it with physical destruction methods. Yet, the majority of companies decide to adopt third-party ITAD services due to the inclusion of a complete and proper audit trail and recognised data destruction standards – in addition to the time decreased and resources required to execute data destruction on several devices.

What’s more, a company fully accredited with the requisite systems in place has the ability to sanitise any type of data-bearing media, from solid-state drives to spinning disks.

2. The importance of reviewing your asset security during transit

A significant crime factor in 2023 is the theft of electronics during transit. The theft of electronic goods in cargo has increased by 22% since 2012, and has an estimated per-theft value of over $400,000 (excluding the value of data held on the stolen devices). When reviewing a businesses assets during transit, they key steps are as follows: 

• Secure collection and customer delivery
• Transfer of Custody
• Processing Time
• Record Keeping

3. Enforce facility surveillance and asset tracking 

Despite the necessity to ensure the safe transportation of IT assets, securing all IT assets continues within the ITAD facility remains an obligation. These should include the secure tracking of IT assets during processing. Additionally, a business is able to understand where its assets are in the process and track them for internal audit when choosing a third party company that carries out thorough asset tracking through serial number capture, scanned barcodes and sophisticated internal reporting systems.

4. Guarantee your IT asset disposition applies by appropriate standards

Organisations that operate within ISO/IEC 27001 are proven and required to apply best practices for managing the security of data assets, which are vital for ITAD, such as financial information, employee details, intellectual property, clinical and research data and more.

5. Ensuring a solid understanding the reuse and resale of IT assets

For this, asset ‘disposition’ has priority over ‘disposal’.  A customer’s assets may have a resale value in a lot of cases. Therefore, the organisation’s third party supplier is able to offer a fair market price to purchase these assets once their data has been completely sanitised within the standards of ADISA and ISO27001.

6. End-of-life assets: destruction and recycling 

Once all data has been discarded and an IT asset no longer holds resale value, the next step would be end-of-life disposition. It is crucial to understand the final processing of end-of-life IT assets because a business and company directors could be at fault for the repercussions if this is carried out irresponsibly.

Illegitimate recyclers have been used in some parts of the developing world to dump old e-waste. If the equipment ended up in a third-world country, someone could pull the asset tags and identify the business as an organisation contributing to the wrongful disposition of e-waste and the toxic environment.

Therefore, it is crucial that the businesses’ partner follows a procedure that safely destroys it beyond recovery when an asset reaches the end of its useful life, and is able to supply certificates of destruction and recycling, which can prove useful for compliance or security documentation and any recognition or reporting for the organisation’s environmental action.

Conclusion

Selecting an ITAD partner demands careful research and due diligence. Not only is the company’s data security at risk, so is the organisation’s reputation.

For both company and customer satisfaction, it is vital to use a reliable third party that supplies the necessary chain-of-custody control, data destruction options, compliant recycling, detailed reporting, downstream audit control, and solid remarketing returns demanded by diligent customers.

Additionally, customers are provided complete peace of mind through the delivery of comprehensive audit-ready compliance and reporting at a forensic level when partnering with a company who is qualified in ADISA and ISO 27001 accreditations.

Organisations can rapidly enhance the protection and control of the data it manages by selecting an honest and dependable third party as a chosen ITAD partner, while producing an extra stream of revenue for its IT department.