Building an ITAD Program:

Similar documents
CENTRALLY MANAGED PROCESS MINIMIZING RISK MAXIMIZING REMARKETING VALUE

A Guide to Minimizing the Risk of IT Asset Disposition

Office Equipment Disposal Policy

Asset Management Ireland (AMI) The secure IT Asset Disposal Company that generates revenue for your business

That s why outsourcing using a Qualified Contractor is the best solution to the problem of assuring a compliant hard drive destruction audit trail.

Arrow IT Asset Disposition Trends Report

Value Recovery Enterprise IT Asset Disposition

MEDIA AND IT ASSET DISPOSITION: YOUR GUIDE TO SELECTING A SUPPLIER

HARD DRIVE REMARKETING

Value Recovery. arrow.com

Protecting MIT Data. State Laws & Regulations. T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia

Table of Contents 01 How to minimize cost in the ITAD Process. 02 Four ways to maximize investment recovery

E-waste Challenges & Solutions

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

Guidance on Personal Data Erasure and Anonymisation 1

Managing and Automating Data Erasure for Mobile Devices: STRATEGIES FOR RECYCLERS AND IT ASSET DISPOSAL SPECIALISTS

Chapter 15 Managing Reverse Flows in the Supply Chain

Secure Mobile Shredding and. Solutions

IT Trading UK Ltd Computer & IT Equipment Disposal Specialists

IT asset disposal for organisations

Recycling Old Mobile Phones

CREATIVE SOLUTIONS FOR REVERSE LOGISTICS NON-PROFIT ORGANIZATIONS AND RETURNS MANAGEMENT UTILIZING

Information Technology Services Guidelines

secure shredding Services Secure, Compliant, Cost-Effective, Environmentally Responsible Information Destruction Secure Shredding

IT Asset disposition services

Waste, Not! Recovering Value from Unused and Surplus IT Assets

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

الدكتور عادل إسماعيل العلوي الجامعة الملكية للبنات البحرين نائب رئيس الجمعية الدولية لضبط ومراقبة نظم المعلومات

Electronic Waste: Managing the Environmental and Regulatory Challenges

Best Practices for Responsible Disposal of Tape Media

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Sustainability: 5 Simple Ways Businesses Can Save at Work Tips from the Logistics Experts at UPS

Department of Health and Human Services Policy ADMN 004, Attachment A

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Grasmere Primary School Asset Management Policy

Information Security. Annual Education Information Security Mission Health System, Inc.

HIPAA Security Rule Compliance

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT PROGRAM. Revised January 15, 2014

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Have you ever accessed

Information Security Policy


HP Standard Vendor Requirements for Hardware Recycling

Reverse Logistics From Black Hole to Untapped Revenue Stream. A White Paper Prepared by Ryder Supply Chain Solutions

HIPAA Compliance: Are you prepared for the new regulatory changes?

Cyber Threats: Exposures and Breach Costs

Challenges and Solutions for Effective SSD Data Erasure

Personal Information Protection Act Information Sheet 11

Data Security for ITAD, Corporate & Consumer Electronics

Dell Service Description

GENERAL FIXED ASSETS Fixed Assets Administration

CHAPTER 339D ELECTRONIC WASTE AND TELEVISION RECYCLING AND RECOVERY ACT

InfoGard Healthcare Services InfoGard Laboratories Inc.

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

Considerations for Outsourcing Records Storage to the Cloud

McGill University IT Asset Management Regulation

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Data Loss Prevention Program

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

plantemoran.com What School Personnel Administrators Need to know

Hard Drive Retention Offering for Xerox Products in the United States

HIPAA Security COMPLIANCE Checklist For Employers

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

M E M O R A N D U M. Definitions

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT POLICY

Chapter 15: Computer Security and Privacy

HIPAA Compliance and the Protection of Patient Health Information

Sustainability. Your Partner In Green IT & Bottom Line

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

HIPAA Audit Risk Assessment - Risk Factors

Transcription:

Building an ITAD Program: What Your Company Needs To Know By: Integrated Communications & Technologies

Contents 3 4 6 7 8 9 Introduction Understanding The Concepts of IT Asset Disposition Evaluating by Asking Questions Choosing an ITAD Provider Conclusion About The Author 2

Introduction Electronic waste (e-waste) is a problem for every company, big or small, as IT equipment often breaks, becomes outdated or obsolete, or is simply no longer needed. This old equipment has to go somewhere, and laws and common sense dictate that it should not simply be thrown in the trash. Electronics that end up in a landfill can be very harmful to the environment and human health by leaching toxins, heavy metals, and other dangerous substances into the air, ground, and water supply. Additionally, improperly thrown out electronics run a high risk of a data breach if they aren t properly wiped before being re-used or thrown out. Because of this, the disposal of e-waste is regulated by a number of different laws. Unfortunately, it s not always easy to keep up with these regulations. No matter what industry your company is in, you need to have a policy for dealing with old electronics responsibly an IT asset disposition program. There are many benefits to having clear, concrete, and effective policies in plans for disposing of old technology, including: Avoiding fines and cleanup fees from improper e-waste disposal Compliance with state and federal laws Reducing the need for harvesting new materials to make electronics Contributing to the preservation of the environment Helping to improve global human health Improving company image Avoiding a data breach Recovering value from used but working equipment (IT Asset Recovery) Salvaging value from precious metals in electronics So how do you set up a program for responsibly handling your company s e-waste? It s a multistep process that begins with understanding the concepts surrounding e-waste disposal. 3

Understanding the Concepts of IT Asset Disposition If you are trying to create a program for disposing of unwanted equipment, you will need to know what the basic concepts behind the process. Let s define some of the core concepts of IT asset disposition to help you plan your approach more effectively. What is ITAD? IT asset disposition (ITAD) is a phrase that may seem complicated, but in reality, ITAD just describes a process: the process of disposing of unwanted, broken, or obsolete equipment safely and securely, in an eco-friendly way that minimizes costs and losses and protects confidential data. Effective IT asset disposition varies for each individual company, and may include reselling or repurposing equipment, equipment donation, data destruction, and recycling. Many organizations also need solutions for packing up, removing, and transporting the equipment during this process. What is the Chain of Custody? Your company s electronics contain sensitive data, and while the amount of data may vary depending on your industry, you do not want any of this information getting into the hands of hackers and data thieves. This is why a secure chain of custody is important for ensuring data is tracked and destroyed properly. Chain of custody is the documentation ( paper trail ) showing who was in charge of the equipment at each stage of the process, ensuring accountability and proper disposition of the data and equipment. It is especially important during the transport process, which is when data is typically most vulnerable. Depending on the security needs of the data to be disposed of, secure transport may simply mean documentation and transport in sealed packaging, or anything up to an armored vehicle and even a bonded driver. How Does Data Security Relate to Retired IT Equipment? Whether it s proprietary company data, client financial information, or personal data, every company has sensitive information to protect information that is often located on office IT equipment. When preparing to retire this equipment, how do you keep that information safe? Simply deleting the files is not enough doing so only deletes the reference to the file so the computer can easily find it not the file itself. Anyone who knows what they re looking for can access the data, and a mere 1 gigabyte of data can contain a staggering amount of information, whether it s located on a server, computer, USB drive, CD, or even a printer. Most companies do not have the resources or knowledge to dispose of secure data effectively and in compliance with data security regulations, and must utilize the services of a responsible, certified IT recycling service to provide data destruction. Effective methods include nondestructive (software-based) wiping, which keeps the equipment in usable condition for resale, or destructive (physical using electromagnetic fields or shredding), which is used for equipment that will be recycled. This ensures that no unauthorized persons will have access to your sensitive data. 4

Understanding the Concepts of IT Asset Disposition (Cont.) What is Reverse Logistics? Once again, we come across a term that sounds more technical than it actually is. Reverse logistic refers to the supply chain in reverse: taking a product from its final destination of use, such as in an office, and taking it at least one step back in the supply chain process. This might mean: De-installation, packaging, and removal of equipment at an office, retail center, or school Transporting the equipment for refurbishment or recycling Destroying sensitive data Resale or donation of the equipment when possible Recycling broken and extremely outdated equipment and salvaging the components Reverse logistics essentially breaks down the ITAD process into a series of steps steps that may vary depending on the needs of the business that is disposing of the equipment. Reverse logistics help companies by reducing the costs associated with asset disposition and ensuring equipment is disposed of in a responsible, compliant way. What Certifications and Standards Exist? Technology moves into obsolescence at such a breakneck pace these days, that regulations have had to quickly adapt to keep up with the growing e-waste problem worldwide. In the United States, the EPA (Environmental Protection Agency) and other organizations enforce strict guidelines and best practices for recycling e-waste and minimize environmental impact, imposing stiff fines on businesses that do not dispose of old equipment properly. Data security is also subject to regulation, particularly in certain industries, which helps protect personal privacy. NIST 800.88 are The National Institute of Standards and Technology guidelines, spelling out everything from the proper handling of secure data to safe disposal methods. The Health Insurance Portability and Accountability Act (HIPAA) is an industryspecific agreement that protects the privacy of patients data, and it s important for companies to be aware of any regulations like these that could affect the ITAD process. New regulations are emerging all the time, as the consequences of improper e-waste disposal become more apparent and continue to negatively affect global communities and the environment. Laws surrounding the export of e-waste, best practices for recycling, and data security are constantly evolving, and it can be difficult to keep up with the current regulations without the help of an expert recycler. 5

Evaluating by Asking Questions Now that you know the basics of IT asset disposition, it s time to start putting that knowledge to use in planning your company s strategy for retiring electronic equipment. Your first step is to evaluate your current processes, needs, and resources to help you develop a costefficient and compliant plan. Here are some questions to ask yourself: 1) Your Current Process a. What happens to old IT equipment once it s no longer needed? b. Is there any type of written policy currently in place for IT asset disposition? c. What is the company budget for asset disposition? e. What are the requirements for equipment to be retired and sold/recycled? 2) Your Equipment a. What type of equipment needsto be disposed of? b. How often is equipment replaced? c. How old is the equipment? d. Where is retired equipment stored? e. What condition is retired equipment in? 3) Scope a. How many locations/offices need to dispose of old equipment? b. Will international recycling be necessary? c. What is the volume of the retired equipment? d. How often will asset disposal be necessary? 4) Compliance a. What is the current process to destroy data on retired equipment? b. Which departments play a role in disposing of IT equipment? c. What are the current policies (if any) on data destruction d. Are there any environmental goals within the company? e. Are there are any specific standards in the industry (i.e healthcare) Once you and your team have explored these questions and come up with some answers, it s time to organize those answers into a document that can be refined, improved, and worked into your new ITAD program. For a more in-depth analysis of your company s current policies, request our 48 question survey that will help you refine your goals further. 6

Formulating a Plan Once you ve decided what your needs and goals are based on the answers you compile, it s time to determine how you are going to execute that plan. Most companies do not have the staff, time, expertise, or equipment to handle the process themselves, so finding a reputable IT asset disposition provider is typically the next step in the process. Choosing an ITAD Provider So why should you work with a certified ITAD provider? Simple. They know the industry best practices, regulations, and handle retired equipment on a daily basis. It is often more efficient and cost-effective to hire an expert than to take your employees away from their work to figure out the components of responsible IT asset disposition. In addition, a knowledgeable IT provider will know when it is a good idea to try and resell or repurpose equipment or simply recycle it. Peace of mind is one of the top benefits of working with a responsible IT recycler. But how do you choose a company to work with? To avoid hiring an irresponsible, non-compliant, or simply inexperienced company to partner with, consider these factors: 1) Certifications You may be surprised to learn that there are no laws that require electronics recyclers to be certified. The EPA does encourage certification, but working with an uncertified recycler is common and dangerous. There are two major certification types recyclers can seek in the United States: R2 (Responsible Recycling) and e-stewards. You should only consider working with an ITAD provider who maintains one of these certificates, as they denote compliance with regulations related to environmental and recycling practices, data security, and even worker safety. 2) Data Security Data breaches are common these days, and you don t want your company to be the next cautionary tale. Responsible ITAD providers are diligent about documenting the chain of custody for data every step of the way, providing secure transport, and using appropriate methods for destroying the data permanently, in accordance with industry standards such as NIST 800.88, DOD 5220.22M(E) 3-Pass, and the DOD 5220.22-M(ECE) 7-pass. 3) Capabilities and Procedures Obviously, a qualified IT recycling company will need to have the proper equipment and facilities to process equipment in a compliant, environmentally-friendly way. However, aside from the basics, you may need to consider some other factors as well. If your company will need not only domestic recycling services, but international as well, you will need to choose an ITAD provider who has the ability to arrange for overseas disposition as well. If you anticipate selling some of your unwanted equipment, you should ensure that these products will be stored safely until they can be sold and shipped. 7

4) Rates Choosing an ITAD Provider (Cont.) Of course, cost is an issue when disposing of old computers, but you also need to take into account that choosing a cheap but uncertified IT recycler over a reputable company could end up costing a great deal more in fines and damage to reputation than the initial cost of the service. Think about value over overall costs, and go with a provider who will help you minimize your losses and protect you from violations. When evaluating costs of ITAD providers, take into account how they charge: is it per pound? Per piece? Per pallet? The pricing structure that will be most economical for your company s needs will depend on the type and condition of your equipment. 5) Accountability A quality ITAD provider will assume responsibility for your equipment, keeping documentation every step of the way and ensuring that both the data and hardware of your retired equipment go through a secure chain of custody on the way to their final destination. Responsible companies will assume liability for your e-waste, giving you peace of mind and the knowledge that your company s old IT equipment will not contribute to the growing crisis of e-waste in landfills. Conclusion: Make Your Policies and Stick With Them By now you ve probably figured out that IT asset disposition shouldn t be an afterthought, but a priority. Just like trash and normal recycling, IT asset disposition is just another cost of doing business. However, it s a cost that supports your company and your community in preserving the planet and keeping confidential information safe both of which your organization can be proud. Because of this, it s important to make your policies concrete and stick with them. Make a document you ll refer to again and again, and form a partnership with an ITAD provider you can trust you ll never again have to deal with a pile of old equipment sitting in storage. 8

About The Author Susannah Bruck is a freelance writer and editor from the Seattle area, who has worked on diverse projects ranging from blogs to plays. A long term writer for ICT Asset Recovery, she s been diving into topics ranging from electronics recycling to sustainability and data destruction. She frequently writes non-fiction and marketing pieces behind the scenes as a ghostwriter, but is also a fiction writer, with a short story appearing in Jeopardy magazine. She is always excited to tackle new subjects and projects, and isn t afraid to dive into research when it s (nearly always) necessary. A recovering English major, she currently resides in Cambridge, MA. For more than 20 years our team at ICT has mastered the industry's best practices in IT equipment disposal and asset recovery, in secure e-waste management and overstock solutions for corporations, government agencies and non-profit organizations worldwide. All practices are fully compliant with regulation and standards, providing our customers reliable, secure and transparent ITAD services.