Developing Effective IT Asset Decommissioning Policy and Procedures

With the increased frequency of reported data breaches, it’s becoming more and more necessary for companies to implement effective and reliable decommissioning policies and procedures in order to protect the data stored on retired IT equipment from falling into the wrong hands, or a data breach. Here are tips on what you need to think about as you develop an IT asset decommissioning policy for your company.

Involve All Company Departments -- When developing a properly drafted asset decommissioning policy, the interests of legal, finance and human resources may be as significant as those of IT, security and asset management -- regardless of who is responsible for the day-to-day application of the decommissioning process. Ensuring that all parties' interests are included at the beginning stages of policy creation is critical to the adequate protection of confidential information.

Conduct an Assessment of Your IT Equipment – You can do this on your own or with an IT lifecycle management company. With this assessment, you will learn where you are exposed and how to close the gaps.

Inventory Incoming Equipment – By keeping track of assets from the beginning of their lifecycle and using a database that references an industry standard nomenclature and adheres to that standard, you can prevent losses from occurring down the road. This can save countless hours if reconciliation is required in the future and provide evidence of having performed due diligence if a breach occurs.

Isolate Decommissioned Assets -- When decommissioning assets, best practices include placing them in a quarantined room with restricted and monitored access.

Audit Any Third-Party Disposition Provider -- If you are not destroying sensitive information on site, a full audit of your disposition provider is highly recommended. You want to ensure that they have the proper qualifications and processes in place to protect your company’s sensitive information.

Don’t Forget the Date At Rest -- If you are destroying sensitive information internally, many times data is hidden in components other than hard drives or sometimes the hard drives are difficult to find. For the highest levels of security, where sensitive information cannot leave the premises, the room should be equipped with all tools necessary to identify where data resides and destroy the data. This includes a searchable database that can be accessed by on-site personnel to locate and destroy sensitive information. Quality assurance programs must be in place regardless of where the data is destroyed to ensure the quality of the work performed.

Conduct Accurate Inventory -- If sending decommissioned assets to an asset disposition provider, take the time to have an accurate inventory of what is leaving your building and reconcile that with the reports they produce. Do not provide the list of equipment to the asset disposition provider in advance. Have a process in place to address discrepancies.

Consult with an Attorney – You want to make sure that you consult with an attorney who is experienced in data security and technology law to position your company as best as you can so you are prepared if something goes wrong.

Double Check Your Cyber Insurance Coverage -- Consult with an insurance provider who is experienced in cybersecurity to make sure you have adequate insurance to protect you and your company if you have to make a data breach claim.

If you have any questions as your developing your IT asset decommissioning policies and procedures, please feel free to contact us.