Ten tips for IT asset disposal
IT asset disposal is an integral part of a company's operations, but are organisations disposing of their IT assets safely?
IT asset disposal (ITAD) is an indispensable part of a company's day-to-day operations, but do organisations actually dispose of their IT assets properly, especially in light of the severe risks involved?
This is a question posed by Kayode Adesemow, information assurance consultant, chartered engineer and project manager, speaking at ITWeb's Security Summit this week. Adesemow says it is a well-known fact that intruders, like flowing water, will explore the weakest opening, much like a chain with the weakest link.
"As strong as an organisation's information security and internal controls are, it takes just the non-effectiveness or non-existence of a control for a vulnerability to be exploited and a breach to occur."
However, says Adesemow, effective and safe ITAD is not rocket science - "it is just a case of going back to basics".
To avoid things "going horribly wrong", Adesemow proposes the following 10 basics:
1. Plan for disposal at time of acquisition. Organisations should ensure the supplier has clear processes in place to dispose of supplied assets, and that the organisation has a clearly formulated and communicated IT asset policy and procedure.
2. Invest in the continuous monitoring of IT equipment.
3. Put in place an ITAD process spanning the business unit, ICT (in particular the service desk) and asset management.
4. Ensure the IT asset lifecycle is integrated with an information asset register, configuration item and the organisation's supply chain management system.
5. Only close service desk tickets after information reputation assessment has been carried out.
6. Think about information reputation disposal. The organisation must ensure that, as part of its ITAD process, a clear alignment with green IT and ISO 14000 is thought through.
7. Use a network security concept. When an IT asset is moved from one resource to another, the information contained in the asset must be assessed and wiped off, either up to the degree of need of the next resource - or completely wiped off.
8. A residual information assessment should be carried out to ensure the organisation's data is removed. You must ask yourself: "Has the organisation's information been wiped using an acceptable method for secure data erasure?" Data cleansing must take care of administrative, legal and social responsibilities from start to finish.
9. It is critical to have clear cut processes in place when retiring or redeploying IT assets. Leverage on investment in existing standards, regulation and best practices such as ISO 14000, ISO 27001, ITIL/ISO20000, COSO, enterprise risk management and asset management.
10. Engage the services of independent consultants to review and assess the organisation's ITAD process. A primary objective of such engagement should be to limit reputation loss the organisation could be exposed to.