Unsecured data can be a very major source of risk for your organization. Because of the potentially astronomical costs that can be associated with even a single data breach from fines, legal fees, bad publicity, and loss of customer confidence, risk management and data security policy makers are looking closely at the ways their companies’ and their customers’ data might be exposed to the outside world. A data breach can occur a number of ways (by a hacker attack or a misplaced laptop, for example), but one non-technical area risk planners should not overlook is the process through which their companies dispose of their retired IT assets. It only takes one drive to get through the disposition process with data still on it to cause a serious data breach. The data stored on the drives of your company’s retired IT assets must be eradicated before the drives leave its control.
Certification: The key to a data-secure ITAD process
For some risk-conscious organizations, the only way to ensure absolute data security is to physically destroy the drives from every piece of retired IT equipment. However, on the resale market, intact systems always sell for more than systems lacking components – including hard drives. In fact, IT assets without hard drives can lose up to 30 percent of their remarket value. Companies who also have the goal to reduce costs and maximize the value of their IT assets should consider their options for data sanitization. All the major standards organizations in the U.S. and Europe accept properly executed data erasure as meeting the standards.
How can you be sure your IT asset disposition (ITAD) vendor follows the latest best practices for data sanitization and can be counted on to effectively remove sensitive data from the storage media of your IT equipment every time? Partner with a vendor that has been certified for data sanitization by a highly regarded third-party industry organization. In the realm of data destruction, one of the most reliable certifications to look for is from the National Association for Information Destruction (NAID). NAID provides the only third-party certification that focuses exclusively on information security, and it performs both a scheduled and a surprise audit each year on the organizations it certifies. NAID AAA certification is viewed as an industry-leading certification for data sanitization. If you use an NAID AAA-certified IT asset disposition vendor, you can be sure that it meets the highest standards for data security and its entire disposition process has been documented.
Onsite data destruction and asset tracking for lower ITAD risk
NAID certifies its members for either or both plant-based and customer-site data sanitization. For many organizations, onsite data sanitization is the least risky option. This ensures sensitive data will never leave your facility. Some ITAD providers can accommodate the need for onsite data sanitization with a mobile wiping system. A vendor certified by NAID for onsite data sanitization can bring a trained staff to your facility and perform data sanitization to the same level as can be accomplished offsite. Similarly, an ITAD provider should be able to physically destroy drives onsite, in situations where that’s a more appropriate method. If onsite data destruction isn’t a requirement, be sure to protect your organization from risk with tight chain-of- custody tracking. If your data-bearing assets must leave your facilities, it’s essential to know where they are at all times, up until the disposition process has been completed.
What do you need to know about ITAD to manage risk?
A poorly-planned IT asset disposition (ITAD) process can put your organization at risk for a data breach and its associated costs. It can also be a source of risk in the areas of environmental and regulatory compliance. IT risk managers need to think about how they can bring their company’s ITAD program in line with its overall risk management and data security policies. Our “Guide to Minimizing the Risk of IT Asset Disposition” can help you get started, with several strategies for avoiding risk from IT asset disposition.
