Challenges of IT Asset Disposition

By Ann Hughes, Director of Sales and Marketing for MRK Group Ltd.

Anyone who has created a corporate IT Asset Management program, or is contemplating one, will tell you that it is challenging to create a successful program. We will explore some of the issues in doing so.

Who should be involved in this process? Who are these stakeholder groups and why do they matter? Do they have competing interests? Let’s explore this. There are several that are obvious. IT Asset Management owns the program and interfaces with all groups, and conveys their requirements to Procurement. Procurement is often responsible for the RFP if the company decides to go this route. Environmental and Risk Management will want to ensure that equipment does not get exported to an undeveloped country where environmental laws are lax or processed in some manner at home which potentially can create an environmental nightmare.

There are environmental regulations that come into play with electronics. Electronics contain heavy metals such as cadmium, lead and mercury that are highly toxic. The environmental group in particular will want to ensure that the equipment is handled properly and not go to a landfill. The last thing your company needs is bad press when it is discovered that your equipment is involved in an EPA cleanup operation.

As data security is the biggest driver of IT Asset Disposition, Risk Management, Compliance and Security are major stakeholders. There are many regulations to consider such as HIPAA, HITECH, PCI, etc. Data breaches are extremely expensive. According to the Ponemon Institute, the average cost of a data breach in the US is $217 per record, and $6.53 million per incident. The largest cost of a breach is loss of business. Other losses may include damaged brands, loss of trade secrets, personnel records, financial information, etc.

Risk assessments play a part in company decisions. Will data erasure before shipping to an ITAD vendor be appropriate or will encryption of devices be sufficient? Is onsite hard drive destruction mandatory? What is the chain of custody? How is equipment staged/stored prior to going to the ITAD vendor? What are the logistics in moving the equipment? The vendor can be a very useful partner and be utilized as a secondary verification of data erasure.

Additional stakeholders will include Finance and Accounting. They require certain data that ITAM can provide when assets are properly tracked. At the time of purchase, assets may come with a maintenance plan. Companies will like to forgo paying maintenance fees on assets they no longer own. Assets no longer owned will also need to be removed from the books in order to eliminate remaining tax liabilities.

Determining what to do with equipment is another challenge. Risk must be balanced against financial considerations. Allowing the ITAD vendor to resell equipment will lower costs and can yield large sums that pay for the entire asset disposition program with funds remaining. Extreme risk aversion will lead to unnecessary costs. For example, is a 7 pass DOD compliant erasure necessary or will a 1 pass be sufficient? Due to the high density of the drives, 1 pass will be sufficient in most cases. Recycling only will yield to higher costs due to continuing low commodity values. Revenues will not be generated to offset the costs of proper handling of assets.

Selecting a vendor can be the biggest challenge of all. According to recent news articles, there have been many electronics recycling and IT asset disposition companies in the past several years who have gone bankrupt, been indicted for fraud, tax evasion, illegal storage and illegal export of equipment. These include firms that have been R2 and e-Stewards certified, industry certifications completed by a third-party for those in the IT Asset Disposition industry who manage end of life computer and other electronic equipment. Both certifications do issue revisions to strengthen the standards and close loopholes to weed out these bad actors.

It is important to look at firms that adhere to Best Practices of the ITAD industry. These are companies dedicated to removing data and environmental risks inherent in final disposition of end of life equipment.

Let’s take a look at what Best Practices means. These will be vendors that protect all data and avoid any data breach. They will include not only hard drives in your typical PC, laptop or server but include hard drives in copiers. Their data erasure processes are compliant with NIST 800-88 and Department of Defense. These types of firms have the capacity to erase multiple drives at a time and have a process for drives that fail such as shredding and serial number capture. They will remove asset tags and any company identifying marks prior to reselling of assets. The vendor will be able to provide FMV (fair market value) for equipment. Their Certificate of Destruction will tie directly to the equipment processed.

When evaluating firms, look for one that is transparent and freely shares information. If it is not forthcoming with answers to your questions, it may not be the best choice. Look for some give and take so that there is a mutually beneficial relationship. This will go a long way when special projects or pricing is needed outside the scope of a standard contract.

Due diligence is a necessity. Various questions need to be asked. What is the company ownership? How long has the company been in business? Has the company been acquired? What is the management turnover? Some of these play into the type of service you will receive. You will experience continuity of service when there is less turnover and disruption. Take a look at the facility. Is work being performed in multiple buildings at the site? Are there multiple sites across the country? What type of security is present? Look for 24/7 surveillance and restricted access.

It is important to also know what types of materials are being handled. Are there hazardous materials in the building, and are the proper permits in place? Who are the downstream vendors? All R2 and e-Stewards certified companies will have evaluated their downstream vendors and know how those various materials are handled.

Other questions include the types of services offered, such as inventorying, data destruction, recycling, remarketing, redeployment, donations, end of lease services and logistics. What are the data security policies of the vendor? What type of training is there for the employees on equipment, tools and processes that they use? There should be a written EH&S plan in compliance with OSHA regulations.

The ideal way to perform due diligence is to personally visit the vendor. Be prepared with questions and perform an onsite audit.

Success comes with preparation. When various stakeholders are involved, due diligence is performed and open dialogue is maintained, the chances of succeeding greatly increase.

This article originally appeared in ITAK.

DestructData Adds Model 1001 Shredder To SSD Solutions

Destroys SSD media via patent pending destruction shafts with pyramid elements

Consistent with our commitment to source and deliver the widest range of media sanitization and destruction solutions, DestructData is rolling out the SSD Model 1001 Shredder. Equipped with innovative (patent pending) hardened pyramidal drive shaft components designed to destroy a wide variety of solid state media including, SSD drives, tablet boards, cell phones, smart phones, thumb drives, micro SDs, SD cards and more. 

Model 1001 produces end waste that meets DIN standard E-3 when destroying SSD systems including phones and tablets with boards included and DIN standard E-4 when destroying only the SSD board.  

This new SSD solution is a compact, self-contained system with all components housed in a custom cabinet for maximum sound, odor and dust control. The shredder also includes waste bin full/door open indicator with auto stop and energy savings mode.

Read more this SSD destruction solution here. 

Rethinking the Vulnerabilities of a Data Wiping Process

“After holding season tickets to this same show for over a decade (darn good seats, by the way), the most obvious question to me has become, ‘Does any of this impact the elements of a data wiping operation that are reasonably likely to cause a data breach.’ I’m writing this because I know that the answer is a pronounced ‘NOPE!’”

DestructData VP Technology & Sales Michael Cheslock analyses the flawed data wiping assumptions that add cost and may actually cause data breaches.

Download the entire white paper.

CPR Tools Analysis Reveals Resale Channels As Source for Unwiped PII

According to the latest research from CPR-Tools, 40% of hard drives, mobile devices and tablets sold on the re-use markets contain personally identifiable information (PII).  The Ft. Meyers, FL-based data recovery and security firm used downloadable shareware to recover PII on 250 randomly selected storage devices. The company used unsophisticated methods to recover the data and notes that no forensic training was required to access the information.

In the course of the analysis CPR-Tools recovered credit card information, contact information, usernames and passwords, company and personal data, tax details, and more.

Mobile phones gave up about 13% recoverable data, while tablets topped the list at 50%. PII was also located on 44% of the hard drives.. The devices involved in the study were “working” units that had been previously used in both commercial and personal environments.

“As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data. Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind,” said John Benkert, CEO at CPR Tools.

CPRTools is a key technology partner for DestructData and the developer of the Validator drive erasure verification tool.

Summary of e-Stewards V3.0 Standard

Due to the need to incorporate the new global ISO 14001 standard for environmental management systems, and the need to incorporate past amendments and add improvements, the third formal revision of the e-Stewards Standard V 3.0 has been created and is now published.

The most significant change from V 2.0 has been the restructuring of requirements to fully reflect the new ISO structure. This enables ease of use for e-Stewards recyclers/refurbishers and certification bodies. The e-Stewards requirements imbedded into the appropriate sections of the new 14001 standard bring greater clarity and ease of use for recyclers and auditors alike.

The following are some highlights of changes found in V3 compared to V2 (including Sanctioned Interpretations), followed by numbers citing where the new language can be found in the V3 document

V3 Changes Highlighted:

• Verbatim incorporation of ISO 14001:2015 standard and requirements, removing ISO 14001:2004 language, resulting changes to the management system (see this link for redlined comparison of the two 14001 standards from ANSI’s web store: [throughout standard]

• New structure of e-Stewards Standard fully adopts new ISO structure, including section titles [throughout standard];

• All footnotes have been removed. Guidance footnotes will be placed in guidance document, while requirements have been added into the body of the standard. This provides greater readability and clarity. [throughout standard]

• Incorporation of sanctioned interpretations (V 2.0 amendments) to date [found throughout) • Modification of Requirement for top management to assign responsibility and authority for: o Evaluating adequacy and achievement of organization’s objectives [5.3 e) 2]; and o Evaluating performance of managers in ensuring the effectiveness and continual improvement of the environmental, health & safety management system (EHSMS) in their areas of responsibility [5.3 c];

• Modification of Requirement to create and document a schedule for evaluating compliance obligations [6.1.3 e];

• New requirement to apply export restrictions to Problematic Components & Materials (PCMs) wherever there are legal prohibitions on transboundary movement of Hazardous e-Waste (HEWs) [, f)];

• Modification of Requirement to create a Plan for Responsible Downstream Management of HEWs and PCMs [6.2.4];

• Modification of Requirement to establish & maintain a written Plan for Emergency Preparedness & Response [8.2];

• In new 14001 section for internal communication, list of specific types of internal communication required, resulting in a better functioning EHSMS [7.4.2];

• Addition of asbestos-containing electronic equipment to list of items not generally allowed to be shredded [8.4.1, Table 4, Row 1];

• Removal of requirement to take back exported Hazardous Electronic Equipment if misrepresented or damaged during shipping [no longer in reuse section, which is now 8.6];

• Modified requirements if seeking to send Hazardous Electronic Equipment (HEE) into new products or processes, in order to prevent toxics from being put back into commerce under the guise of ‘recycling’ [8.7.2];

• Clarified language to assist in operational controls needed for export, transit, and import of HEWs and PCMs throughout Recycling Chain [8.8];

• New exemption from export/import requirements for new parts & new devices under warranty if they are defective upon initial use by original purchaser and are being returned to manufacturer for failure analysis and/or repair [ c)];

• Revised, recombined, streamlined, and clarified requirements pertaining to downstream accountability, including requirements for transport companies [8.9];

• Requirement to establish and implement a schedule for monitoring & measuring operations that can have a significant environmental and stewardship impact [9.1.1 d)];

• Modified requirement to track non-conformities found in multiple areas, e.g. audit results, regulatory violations, (facility) security breaches, and data security breaches [9.1.4];

• Clarified language in requirements for material balance accounting (MBA) [9.1.7 b)];

• Requirements to better define internal auditor qualifications, and create & retain specific internal audit records [9.2.2];

• Expanding on the new ISO requirements for top management, requirements for them to review results of risk assessments, facility inspections, and Industrial Hygiene monitoring [9.3]; and

• Clarified language in both Appendix B (Administrative requirements for recyclers) and Appendix C (Administrative requirements for certification and accreditation bodies).

Restoration of V2/14001:2004 elements into FD V3: The new ISO 14001 standard has omitted or reduced certain elements of a management system that were included in the earlier (2004) version of 14001 and are considered by many to be important elements of an effective management system. V3.0 has restored some of these elements, as follows:

• Restored requirements for written procedures & records in many sections of the standard [throughout standard]; and

• Restored explicit requirements for taking preventive actions as a critical part of an effective management system [10.2].

Implementational Changes:

• In future, revisions will be published directly into a new version of the complete standard at no additional cost to the initial purchaser. These new Versions will be designated as V 3.1, V 3.2 etc. This will be far easier for recyclers and auditors alike.

• Performance Verification Program of e-Stewards now includes both truly unannounced inspections as well as use of GPS tracking devices inserted into the e-Stewards stream.