Effective IT Asset Decommissioning Policy and Procedures

Data Security ImageWith the increased frequency of reported data breaches, it’s becoming more and more necessary for companies to implement effective and reliable decommissioning policies and procedures in order to protect the data stored on retired IT equipment from falling into the wrong hands, or a data breach. Here are tips on what you need to think about as you develop an IT asset decommissioning policy for your company.

Involve All Company Departments

When developing a properly drafted asset decommissioning policy, the interests of legal, finance and human resources may be as significant as those of IT, security and asset management — regardless of who is responsible for the day-to-day application of the decommissioning process. Ensuring that all parties’ interests are included at the beginning stages of policy creation is critical to the adequate protection of confidential information.

Conduct an Assessment of Your IT Equipment

You can do this on your own or with an IT lifecycle management company. With this assessment, you will learn where you are exposed and how to close the gaps.

Inventory Incoming Equipment

By keeping track of assets from the beginning of their lifecycle and using a database that references an industry standard nomenclature and adheres to that standard, you can prevent losses from occurring down the road.

This can save countless hours if reconciliation is required in the future and provide evidence of having performed due diligence if a breach occurs.

 

What is the difference between decommissioning and disposal?

Decommissioning is when a server or other piece of equipment is taken out of active use and removed from the network securely. From there, the equipment is usually sanitized and repurposed or it may be sent for disposal. Disposal is what happens after a piece of network equipment, e.g. a server, is decommissioned and no longer of use. Disposal entails thorough data destruction followed by disassembly and recycling of the rest.

Isolate Decommissioned Assets

When decommissioning assets, best practices include placing them in a quarantined room with restricted and monitored access.

Audit Any Third-Party Disposition Provider

If you are not destroying sensitive information on site, a full audit of your disposition provider is highly recommended. You want to ensure that they have the proper qualifications and processes in place to protect your company’s sensitive information.

Don’t Forget the Date At Rest

If you are destroying sensitive information internally, many times data is hidden in components other than hard drives or sometimes the hard drives are difficult to find. For the highest levels of security, where sensitive information cannot leave the premises, the room should be equipped with all tools necessary to identify where data resides and destroy the data. This includes a searchable database that can be accessed by on-site personnel to locate and destroy sensitive information. Quality assurance programs must be in place regardless of where the data is destroyed to ensure the quality of the work performed.

Conduct Accurate Inventory

If sending decommissioned assets to an asset disposition provider, take the time to have an accurate inventory of what is leaving your building and reconcile that with the reports they produce. Do not provide the list of equipment to the asset disposition provider in advance. Have a process in place to address discrepancies.

Consult with an Attorney

You want to make sure that you consult with an attorney who is experienced in data security and technology law to position your company as best as you can so you are prepared if something goes wrong.

Double Check Your Cyber Insurance Coverage

Consult with an insurance provider who is experienced in cybersecurity to make sure you have adequate insurance to protect you and your company if you have to make a data breach claim.