IT Equipment Disposal Policy

Transcription

1 IT Equipment Disposal Policy ACKNOWLEDGEMENTS... 2 EXECUTIVE SUMMARY ISSUES & OPPORTUNITIES Conflicting policies OBJECTIVES SCOPE Ownership Stewardship Definitions GENERAL POLICY CONSIDERATIONS Policy regarding both reuse and recycling Life Cycle Management of IT equipment Notification of reuse/recycling of IT equipment Data security Policy regarding reuse only Within the faculty, department, or service unit Within McGill University External to McGill University Software licensing Policy regarding recycling only Environmental responsibility RECOMMENDED PROCEDURES Procedures regarding both reuse and recycling Life Cycle Management of IT equipment Notification of reuse/recycling of IT equipment Data security Procedures regarding reuse only Within a faculty, department, or service unit Page1

2 5.2.2 Within McGill University External to McGill University Software licensing Procedures regarding recycling only Environmental responsibility APPENDIX A Recommended Responsibilities APPENDIX B Participants ACKNOWLEDGEMENTS The development of this policy benefitted from the participation of a diverse representation of several McGill units (a complete list of participants can be found in APPENDIX B Participants): Faculty of Arts Desautels Faculty of Management Information Security IT Customer Services Faculty of Medicine Network and Communications Services Procurement Services Office of Sustainability University Services Page2

3 EXECUTIVE SUMMARY This document recommends a policy regarding the disposal and/or reuse of unwanted IT equipment purchased with operating funds at McGill University. McGill operating funds are invested in new IT equipment to replace obsolete and end of life equipment but what happens to all this old equipment? Is there still any residual value or confidential information contained within? Does the equipment end up in the garbage, is it recycled (in a responsible manner), is it given away to employees/students, or is it donated to unknown organizations? While McGill may know how much IT equipment is purchased each year, does the University know how much is actually replaced and/or disposed of? This IT Equipment Disposal Policy (ITEDP) will address all these issues. It is an opportunity to be responsible not only for the purchase and maintenance of IT equipment with operating funds, but also for their disposal, be it by reuse (elsewhere within McGill), recycling, reselling, or destruction all in a secure (including disk wiping), responsible, and accountable manner. For functional IT equipment that can be reused elsewhere in another unit, McGill will need to implement a university wide communications tool to publicize its availability. For IT equipment destined to be recycled/destroyed, a McGill designated group the ITEDP proposes McGill Hazardous Waste Management should be authorized to collect and process the equipment in a secure and responsible manner. Finally, overseeing the life cycle management of all IT equipment at McGill University will require resources and funding. To this end, the ITEDP proposes that McGill Procurement Services be responsible for purchasing, establishing sustainability fees, amortization schedules, reuse/disposal, etc. of all IT equipment. Procurement Services and McGill IT Services will assist in determining the IT equipment value, where value refers not only to the monetary amount (Procurement Services), but also to its usefulness and to any data (confidential or otherwise) contained therein (IT Services). Page3

4 1 ISSUES & OPPORTUNITIES In an era where computers, laptops, mobile devices, printers, servers and storage as well as all their associated accessories monitors, hard drives, scanners, chargers, memory media, etc. are evolving at an ever quickening pace, today s cutting edge technology becomes obsolete in a matter of just a few years. McGill operating funds are invested in new IT equipment to replace obsolete and end of life equipment but what happens to all this old equipment? Is there still any residual value or confidential information contained within? Does the equipment end up in the garbage, is it recycled (in a responsible manner), is it given away to employees/students, or is it donated to unknown organizations? While McGill may know how much IT equipment is purchased each year, does the University know how much is actually replaced and/or disposed of? Different McGill faculties, departments, and service units use different IT equipment disposal methods. McGill can develop a process to combine the best practices of all McGill faculties, departments, and service units, and benefit from the lessons learned. IT equipment is improperly disposed of when it could be reused elsewhere within McGill. McGill can develop a process to enable all faculties, departments, and service units to reuse unused and non required IT equipment, thereby reducing expenses. Many McGill faculties, departments, and service units do not dispose of their IT equipment in an environmentally safe and responsible manner. As the University strives to be recognized as an environmentally safe and responsible institution of learning and as a model of environmentally responsible living 1, McGill can develop a process to help achieve this throughout the life cycle of IT equipment use, by promoting the purchase of environmentally preferable IT products, promoting responsible use to prolong product life and reduce unnecessary energy consumption, and assuring proper disposal practices do not contravene the Basel Convention 2. IT equipment disposal without proper guidance and control from the IT department can lead to serious security problems and software licensing violations. McGill can develop a process to ensure that all data are properly wiped from any type of IT equipment prior to its disposal. In the case of reuse, this process can ensure that prevailing software licensing agreements are respected. 1.1 Conflicting policies The University will need to address any existing conflicting policies as well as establish policy precedence regarding the purchasing of equipment with multiple fund types (e.g., research, operating). 1 Environmental Policy for McGill University ( 2 The Basel Convention ( on the Control of Transboundary Movements of Hazardous Wastes and their Disposal is the most comprehensive global environmental treaty on hazardous and other wastes. It aims to protect human health and the environment against the adverse effects resulting from the generation, management, transboundary movements and disposal of hazardous and other wastes. Page4

5 2 OBJECTIVES The IT Equipment Disposal Policy (ITEDP) aims first to propose to the Vice Principal, Administration & Finance a policy on how to properly dispose of IT equipment that is no longer needed at McGill University (see section 4). There are several factors that must be addressed with regard to proper disposal : how the equipment should be disposed of (reuse, recycle, environmental responsibility) commercial, sustainability, and security aspects existing or required procedures and/or tools The ITEDP will then recommend how this policy may be actualized and by whom (see section 5): requirements to actualize the proposed policy items suggested tactics (see APPENDIX A Recommended Responsibilities) 3 SCOPE This policy applies to any designated IT Equipment that has been purchased, in whole or in part, with McGill operating funds, capital funds, matching funds, donations, or student funds, and thus deemed to be owned by McGill University. This policy does not apply to equipment purchased entirely with research funds or private funds. IT equipment subject to this policy is equipment deemed to be no longer desirable or useable by the owner (or steward; see section 3.1.1). This may be because the equipment is obsolete, broken, end oflife, or no longer needed. This policy applies to all McGill units. Any exceptions shall be subject to approval by the Vice Principal (Administration & Finance). 3.1 Ownership The Owner of all IT equipment covered in this policy is McGill University Stewardship The Owner may delegate control to a Steward. This may typically be the fund manager of the funds used to purchase the equipment. As such, the Steward is delegated to: maintain appropriate inventory for all delegated equipment ensure the proper use of the equipment maintenance assign equipment to individual users insure the equipment (refer to Property insurance at transfer equipment dispose of zero value equipment These duties extend to equipment located or regularly used off McGill property. Page5

6 The Steward may transfer equipment between users within their domain without the express permission of the Owner or users (e.g., Administrative Desktops within a faculty). The Steward may not transfer equipment to other users outside their domain without the express permission of the Owner (e.g., Academic Laptops). 3.2 Definitions Designated IT equipment covered by this policy refers to the following equipment: desktop computers laptop computers, electronic pads, and ebook readers computer screens and television sets printers, scanners, fax machines, and photocopiers (including multi functional devices) cellular and satellite telephones, including smartphones conventional and wireless telephones, pagers, and answering machines keyboards, mouses, cables, connectors, chargers, and remote controls video game consoles and their peripherals, projectors designed for use with electronic equipment, readers, recorders, burners sound, image and wave storage devices, amplifiers, equalizers, digital receivers, and speakers designed for use with an audiovisual system portable digital players, radio receivers, docking stations for portable digital players and other portable devices, walkie talkies, digital cameras, digital photo frames, camcorders, and global positioning systems routers, servers, hard drives, memory cards, USB keys, speakers, webcams, earphones, wireless devices, and other accessories such as spare parts, etc. Used equipment refers to any IT equipment that isn t new but is still functional. Such equipment may become available because, for example, it has been replaced by different or newer equipment. End of Life (EoL) Equipment refers to any IT equipment that is too damaged, broken, or old to be functional. This equipment should be identified as material for recycling. Disposal refers to the final placement or removal of wastes, excess, and scrap under proper process and authority with no intention to retrieve. Disposal may be accomplished by recycling. Reuse refers to the re purposing (e.g., via transfer, donation, sale) of unwanted IT equipment that may still be found useful elsewhere: within the original faculty, department, or service unit within the University in another faculty, department, or service unit external to McGill University Recycling refers to the dismantling and destruction of unwanted IT equipment in an environmentally responsible manner. Recycling does not entail the refurbishment of equipment for reuse elsewhere. Page6

7 4 GENERAL POLICY CONSIDERATIONS 4.1 Policy regarding both reuse and recycling Life Cycle Management of IT equipment Life Cycle Management of all IT equipment shall be provided by McGill Procurement Services, to be funded by a sustainability fee imposed at the time of purchase of the IT equipment Notification of reuse/recycling of IT equipment For the purpose of Life Cycle Management, the Steward shall advise Procurement Services of any IT equipment being disposed of Data security Any IT equipment earmarked for disposal (reuse and recycling) must undergo a proper data cleansing process. All data must be removed, including the wiping of all hard disks and any other data storage devices found on the equipment. 4.2 Policy regarding reuse only The Steward may not unilaterally decide where or how to dispose of unwanted IT equipment. Unwanted IT equipment may not be given or sold to individuals for personal use. The Steward shall search through the following, in order, for any need for the unwanted IT equipment Within the faculty, department, or service unit The Steward shall check within their faculty, department, or service unit for an eligible recipient. Unwanted IT equipment cannot be given to to individuals for their personal use Within McGill University Should an eligible recipient not be found within their faculty, department, or service unit, the Steward shall advertise/communicate the availability the unwanted IT equipment throughout the University External to McGill University Should an eligible recipient not be found within the University, the Steward may donate the unwanted IT equipment to a recipient external to McGill University, that is on a list of eligible charities and/or nonprofit organizations approved by Procurement Services. A contract shall be signed by the recipient, absolving McGill University of any responsibility related to support or follow up Software licensing For any computer IT equipment destined for reuse, the wiped hard disk shall be subsequently re imaged with the appropriate operating system in accordance with any prevailing software licensing agreements. 4.3 Policy regarding recycling only McGill Hazardous Waste Management shall be responsible for the recycling (i.e., destruction) of unwanted IT equipment that cannot be reused anywhere within or external to the University. Only the Steward of the IT equipment is authorized to initiate the recycling procedure. Page7

8 4.3.1 Environmental responsibility Hazardous Waste Management shall ensure that all unwanted IT equipment is delivered to an eligible recycling service (approved by the McGill Office of Sustainability) that will dismantle and destroy (i.e., not reuse) the IT equipment in an environmentally responsible way. Page8

9 5 RECOMMENDED PROCEDURES 5.1 Procedures regarding both reuse and recycling Before changing the use of, transferring, or disposing of IT equipment, the Steward shall consult with all Fund Managers or other parties (e.g., student groups) who contributed to the purchase of the IT equipment. The Steward shall handle any objections by referring to the previously stated policies Life Cycle Management of IT equipment Procurement Services will be responsible for the Life Cycle Management of all IT equipment, from its acquisition to its disposal Asset management McGill University shall have an overarching sustainable procurement and asset management policy, intricately tied to the University s sustainability and environmental policies. This policy would provide general orientations for the life cycle and optimization of equipment, devices, goods, and even services purchased by McGill. At the same time, all other departments and administrative units may collaborate in this success by providing technical or specific expertise (helping to identify the most sustainable products and services) and offering day to day support to the achievement of sustainability objectives. While all members of the McGill community may play a role in attaining these objectives, Procurement Services shall provide the vision and the coordinating function to ensure McGill s sustainable use of resources. The life cycle management of used/eol IT equipment requires the establishment of clear Universitywide procedures for particular asset management purposes. Moreover, the implementation of the University s 3R (reduce, reuse, recycle) management objectives requires oversight, and the establishment of clear communications to support an optimal deployment of resources. An asset management system will be instrumental to Procurement Services in achieving these objectives. Asset tracking software will enable McGill administrators to conduct comprehensive and cost effective physical audits of the University s IT equipment Acquisition Sustainability and life cycle thinking will guide Procurement Services, encouraging them to practise the following as it applies to IT equipment: Follow the 3R hierarchy, including questioning the frequency at which equipment is renewed or deployed, promoting reuse of equipment before allowing new equipment to be purchased (although certain technological constraints are unavoidable). It also implies extending the useful life of equipment, whether within the University or externally. Identify and use (wherever possible) sustainability criteria, such as certifications and eco labels (e.g., ENERGY STAR and/or Electronic Product Environmental Assessment Tool (EPEAT) Silver and/or Gold registered products), which should be considered in purchasing decisions. Consider the broader economic, social, and environmental impacts of purchases. Track the quantities/types of equipment as well as storage systems (e.g., existence of hard drives), to help plan (from the start) future flow of used/eol equipment and related management activities. Page9

10 Implement a sustainability fee at the time of purchase to fund these life cycle management initiatives. Any IT equipment categorized as Computing Equipment (charged to account code 70006) will be depreciated over three (3) years in accordance with the amortization schedule set by the Ministère de l Éducation, du Loisir et du Sport (MELS). This will establish a schedule of residual value at the time of purchase Disposal Market value at time of disposal Procurement Services will have developed guidelines that they shall use when receiving offers from external refurbishing/reuse/recycling businesses interested in buying equipment, to efficiently and effectively define market values of IT equipment Zero value Zero value is defined by the usefulness of the equipment to McGill University. Equipment shall be disposed of in a manner consistent with this policy when the Steward, in consultation with McGill IT Services, deems the equipment to be of no useful value to McGill University. Data stored on the equipment shall be treated as a separate but related issue. All data stored on the equipment shall be properly offloaded before transfer or disposal of said equipment. In some cases, the value of the data may be greater than the value of the equipment, which may dictate a method of equipment disposal, or even the possibility of equipment transfer. Equipment that is of zero value to the University may be of value to others, as spare parts or in its entirety. The disposal process outlined in this policy includes the potential reuse of the equipment by others Notification of reuse/recycling of IT equipment In order to maintain the integrity of the Life Cycle Management of IT equipment, the Steward shall notify Procurement Services of any IT equipment being reused/recycled. This notification shall be in the form of a document, , or facsimile Data security McGill Network and Communications Services (NCS) shall be responsible for the data cleansing of any IT equipment before being made available for reuse/recycling. The removal of data remnants is an important issue that shall be taken into consideration when disposing of equipment. In many cases, even when files are deleted or disks formatted, data may still remain. This data may include confidential and/or sensitive documents, saved credentials, product keys, etc. Such data remnants have led to several high profile data loss incidents, thus a proper data cleansing process shall occur to ensure that data does not escape, even when disks are not to be reused Hard drives Hard drives are used not only in computers, laptops, and servers, but also in multi functional devices (printers, photocopiers) and some portable digital players. Hard drive wiping may be achieved through several methods which fall into three categories: software, hardware, and physical. Page10

11 Software In the case of data deletion by software, a system is told to overwrite a file/partition/disk with data on a sector by sector basis. This data may be generated via a number of algorithms, zeros, or a randomly generated character Hardware Due to increased attention given to data loss, the hard drive manufacturing industry has introduced a SecureErase feature on newer hard disks. This function, built directly into the hardware and triggered by the firmware, wipes the platters on a sector by sector basis including sectors which may not be written/read by software wiping solutions. Furthermore, since the writing is performed from within the disk and not by external software, the process is noticeably faster Physical At times, due to hardware issues, physical destruction may be necessary. This may be performed via high powered degaussing (removing the charge from the platters) or physical destruction (industrial shredding) to prevent reconstruction Solid State Drives With any emerging technology, there may be growing pains associated with the adaptation of traditional processes. One such issue arises with the introduction of Solid State Drives (e.g., USB memory keys, SD memory cards). Due to wear levelling and performance reasons, overwriting may not consistently clear content, nor will a full disk overwrite BIOS/CMOS and other memory While most of the data in an electronic device would be localized to the dedicated storage device, information may also be found in other areas. For example, the BIOS/CMOS may house configuration data containing infrastructure details, such as a common BIOS/CMOS password or an IP address for system management. While in many cases this information may not be overly critical, items such as the BIOS/boot password may hinder reuse of the device and shall be cleared as a courtesy Rules/standards/guidelines Due to the inherent dangers related to the processing and storage of certain data, many regulations have been drafted in order to help protect the data and the various entities which may be affected. Many of these regulations also specify conditions and requirements for data sanitization once the data or IT equipment has outlived its usefulness. There are several laws and regulations that relate to data retention and data sanitization on storage devices, including: Personal Information Protection and Electronic Documents Act (PIPEDA) Payment Card Industry Data Security Standard (PCI DSS) Furthermore, when dealing with data or equipment associated with various projects, agreements with the data as well as the grant stewards may contain stipulations outlining the requirements for data sanitization or destruction. Care shall be taken when signing agreements to read the fine print related to data access, in order to ensure that any additional requirements for secure erasure are met. 5.2 Procedures regarding reuse only Reuse of equipment at McGill shall be encouraged. The most sustainable and fiscally responsible way to dispose of functional IT equipment that is of zero value is to redeploy it within McGill. Page11

12 Manufacturing and EoL accounts for the majority of an IT equipment s ecological footprint, hence the most sustainable practice is to extend the life of that equipment as much as possible. To optimize the resources spent on making the equipment, it shall be used for as long as possible, reusing it as often as possible, and then recycled when no longer useable. The life of the equipment may be extended either through component upgrades (e.g., RAM) or through redeployment on or off campus Within a faculty, department, or service unit If the IT equipment is still functional, the Steward may choose to reuse the equipment within their department, provided that data security protocols and software licensing agreements have been adhered to Within McGill University Procurement Services is responsible for implementing an effective means for communicating the availability of IT equipment as required to ensure that assets are not recycled when they could be reused. Stewards shall advertise the available IT equipment for a pre determined minimum length of time External to McGill University The Steward shall select a recipient from a list of eligible charities and/or non profit organizations. The Steward may not arbitrarily donate to a charity/organization of their own choosing or preference that is not on the approved list. The list of eligible charities and/or non profit organizations shall be prepared and approved by Procurement Services, in accordance with the following criteria: The recipient organization s mission statement is in line with that of McGill s There is no conflict of interest between McGill and the recipient organization o No one at McGill stands to gain or profit from the donation The recipient organization does not appear on any Government or McGill University blacklist When donated to another, off campus location, it shall become the responsibility of the recipient to direct the IT equipment to a responsible location at the end of its life. No follow up or monitoring will be done on donated IT equipment. Procurement Services will have developed a contract to this effect, to be signed by the recipient Software licensing McGill IT Customer Services (ICS) shall be responsible for any re imaging of hard drives and installation of any supported software, always in accordance with any prevailing software licensing agreements. 5.3 Procedures regarding recycling only The Steward (with the help of IT support personnel) may determine that unwanted IT equipment is unsuitable for any reuse, and that it shall be recycled (i.e., destroyed) as arranged by Hazardous Waste Management. Page12

13 5.3.1 Environmental responsibility Hazardous Waste Management shall select a recycling service from a list of eligible recycling services. Hazardous Waste Management may not arbitrarily deliver to a recycling service of their own choosing or preference that is not on the approved list. The list of eligible recycling services shall be prepared and approved by the McGill Office of Sustainability, in accordance with the following criteria: The recycling service s mission statement is in line with that of McGill s There is no conflict of interest between McGill and the recycling service o No one at McGill stands to gain or profit from the use of this recycling service The recycling service dismantles, destroys, and recycles IT equipment in an environmentally responsible way o Their disposal practices do not contravene the Basel Convention The recycling service does not appear on any Government or McGill University blacklist Page13

14 APPENDIX A Recommended Responsibilities The following responsibility assignment (RACI) matrix illustrates who would be responsible for recommendations outlined in the ITEDP. FUNCTION HAZARDOUS IT SERVICES PROCUREMENT OFFICE OF STEWARD WASTE SECTION DESCRIPTION SERVICES SUSTAINABILITY MANAGEMENT CIO NCS ICS Life cycle management of I AR I C C IT equipment Asset management I AR C I C C C Acquisition I AR I C C Disposal I R A C I C C C Notification of reuse/recycling of IT equipment R I A I C C Data security I I I AR IR C Reuse of IT equipment Within a faculty, department, AR I I or service unit Within McGill University R A I I I External to McGill I AR C I I University Software licensing I C A R Recycling of IT equipment Environmental responsibility I R A C I Responsible Accountable Consulted Informed Info Sec Page14

15 APPENDIX B Participants This document is the result of several meetings with and the contribution of the following participating McGill faculties and departments: Faculty of Arts o Sunny Galiza o Gillian Lane Mercier o Suzanne Morton Desautels Faculty of Management o Michelle Forsythe Information Security o Dennis Hayson Wong IT Customer Services o Gary Wilkes Faculty of Medicine o Boyko Kouchev Network and Communications Services o Gary Bernstein o Ronald Pau o Debra Simpson Procurement Services o Youssef Azad o Kathy Zendehbad Reboot McGill o Joshua Kyle Office of Sustainability o Dennis Fortune o Kathleen Ng University Services o Christian Bouchard Page15