Almost every corporate enterprise is concerned about risk. In business terms, risk refers to the uncertain factors that can negatively affect a business’s objectives and its bottom line. The task of identifying these factors and accounting for them – minimizing the likelihood of their occurrence – is risk management. Identifying and planning for risk can span every many of an organization’s departments. For IT, it involves ensuring a company’s IT systems and processes are aligned with its overall risk management policies.
If you’re involved with identifying and planning for risk at your organization, one source you can’t overlook is the process through which your organization disposes of its retired IT equipment. IT asset disposition (ITAD) involves removing pieces of surplus IT equipment from your company’s facilities and sending them to be recycled, or, if they have value, resold. As you align your IT policies with your company’s risk management strategy, consider the entire lifecycle of your equipment. Your IT asset disposition process can be a hidden source of risk because it presents opportunities for:
- Data breach
- Non-compliance with industry regulations
- Environmental violation
ITAD, risk management, and data security policy
Data security is one area risk management policy makers are especially zeroing in on. The average cost of a data breach continues to skyrocket. When you factor in fines, legal fees, the cost of bad publicity and loss of customer confidence, and a possible drop in stock price, any given data breach incident can cost an organization in the thousands and often millions of dollars to resolve. Wherever a company risks leaking data into the outside world is a serious exposure. Most troubling of all, it only takes one drive to get through the disposition process with data still on it to trigger a serious data breach. You must be certain that the data stored on the drives of your retired IT assets is properly destroyed and that you can document that fact.
Risk of non-compliance through ITAD
Many organizations are planning for risk now as part of their corporate governance, risk management, and compliance (GRC) strategies. The ITAD implications for the compliance component of GRC are closely linked to data security. Depending on its industry, an organization is required to comply with any number from an alphabet soup of regulatory standards: HIPPA/HITECH, PCI, SOX, FACTA, GLB. Generally, these standards place a high value on data security and come down hard on organizations that let sensitive data leak. If your organization has regulatory obligations, does it have an airtight data sanitization procedure backed up by auditable records? If not, your organization is at risk of a negative audit (and possible fine) even without a breach.
Environmental risk from ITAD
There is potential ITAD risk associated with a company’s environmental priorities, as well: the risk of having to pay fines and legal fees, the risk of company resources being diverted to avoidable remediation efforts, and the risk of negative publicity. To minimize the risk of any of these in IT asset disposition your company must recycle the assets it can’t resell according to all local, state, and federal regulations and be able to produce evidence it has diverted every possible bit of material from landfills back into the supply chain. And if you sell the used assets, you must be sure that the buyer will properly dispose of any that don’t work or can’t be sold. You are still liable after the equipment leaves your dock.
An ITAD risk management plan
Once you have identified the risks your IT asset disposition program might be causing, how can you respond to them? Our “Guide to Minimizing the Risk of IT Asset Disposition,” is for anyone involved with risk management at their enterprise. It proposes several strategies for minimizing the risk of data breach, non-compliance, and environmental violation through ITAD, and discusses the benefits of integrating those best practices into an enterprise-wide IT asset disposition program.
