The Crucial Role of Exception Reports in ITAD Management

In IT asset disposition (ITAD), an exception report is a cornerstone for effective management and risk mitigation. Without this report, validating or verifying the success of ITAD endeavors becomes impossible. The absence of exception reports leaves organizations vulnerable to potential data breaches, regulatory compliance issues, and reputational damage.

Exception reports, as the name suggests, highlight deviations from established ITAD procedures and expectations. They act as a red flag, alerting ITAD managers to potential problems that require immediate attention. This information proves invaluable in preventing data leaks, ensuring regulatory compliance, and safeguarding the organization’s reputation.

The Illusion of ITAD Management without Exception Reports

Without exception reports, organizations operate blindly, relying on chance and hoping for the best. This approach, often referred to as “pitching and praying,” is akin to pretending to manage ITAD rather than actively controlling it.

While organizations may implement various ITAD measures, such as employing qualified vendors and emphasizing data destruction, the assets that fall through the cracks pose the most significant threat. These assets, the ones that never reach a qualified ITAD vendor, are the ones that have the potential to cause irreparable harm.

Exception reports serve as a vital tool for identifying these missing assets. By scrutinizing exception reports, ITAD managers can pinpoint assets that have deviated from the established ITAD process, allowing for timely corrective action.

The Role of IT Asset Management Databases in Hiding Missing Asset

Often, IT asset management categorizes missing assets as “retired” to save time. However, an asset must not be considered retired unless and until data exists to prove its proper disposition. Accurately labeling missing assets is crucial, as mislabeling can delay investigations or hide toxic IT assets.
The temptation exists to sweep problems under the rug. This is why a segregation of duties (SOD) between ITAM and ITAD is essential.

Google “How to retire assets in ServiceNow,” you will find instructions and videos showing the steps:

Navigate to All > Asset > Portfolios > All Assets.
In State, select Retired.
(Optional) In Substate, select Disposed, Sold, Donated, or Vendor Credit.
Click Update.

So, with just 3 clicks, anyone can sweep a problem under the rug. Can’t find an asset? No problem. Retire it!

Without evidence, no one should be able to retire an asset in ServiceNow or any IT asset database.

Of course, some organizations implement more complicated retirement procedures. ServiceNow includes a total of 24 States and Substates. An organization might also use “Disposal Orders,” so tracking details such as dates and vendors is easier. Using Disposal Orders also makes it simple to store pertinent documents, such as certificates of disposal.

To maintain compliance, however, organizations must maintain verifiable records detailing the disposition of every single asset retired. Attaching a certificate to a disposal order is not sufficient.

Only carefully examining tracking data can confirm the chain of custody or reveal potential liability. A detailed inventory reconciliation is required to determine if a particular asset is missing. If no evidence exists to prove a disposal vendor received an asset, that asset must be presumed lost or stolen.

Just as no organization would allow an employee to submit an expense without a receipt, no organization can comply with SEC cybersecurity regulations without a valid vendor receipt for each retired asset.

If an asset is purported to have been sent to an ITAD vendor, the vendor should provide a receipt of assets received, usually in the form of a serialized inventory. A reconciliation should have occurred to confirm the chain of custody and identify if something is unaccounted for.

The Price of Ignoring Exception Reporting

To date, Morgan Stanley has paid $161.5 million in ITAD-related penalties after disclosing that 42 decommissioned servers were missing. In July 2019, Morgan Stanley’s ITAD vendor, Arrow Electronics, announced that it was closing its asset disposition business. During the wind-down period, Morgan Stanley undertook a cross-check and reconciliation of its records of the devices it understood were provided to Arrow for data destruction.

The outcome would have differed if Morgan Stanley had reviewed an exception report for each project immediately instead of waiting for Arrow to exit the industry. The ordeal might have been avoided had Morgan Stanley also used disposal tags and followed the principles of defensible disposition.

Disposal Tags and Exception Reports

IT professionals often spend significant time chasing down missing assets. The most common (and avoidable) reason behind missing or hard-to-find equipment is relying solely on serial numbers to track it.

Matching serial numbers is exceptionally problematic. A “6” can be misinterpreted as a “G.” An “8” might look like a “B.” Manufacturer serial numbers are notoriously difficult to read, making matching unreliable.

Most companies tracking retired equipment solely by serial numbers cannot account for nearly 25% of their disposed inventory. Organizations using disposal tags typically account for 100% of retired assets. Disposal tags form the backbone of any successful ITAD policy and make finding misplaced equipment a much faster process.

Effective ITAD Management Requires Exception Reports

The absence of exception reports clearly indicates that an organization is not effectively managing its ITAD processes. These reports are not simply an option but an essential component of a comprehensive ITAD program.

Exception reports are not just a formality or an afterthought but an indispensable tool for effective ITAD management. By embracing exception reports, organizations can proactively address potential issues, mitigate risks, and ensure their IT assets’ secure and compliant disposition.

Without exception reports, ITAD management becomes a guessing game. Organizations are left to hope that their assets are being handled properly, that data is being destroyed securely, and that no sensitive information is at risk. This approach is akin to pitching and praying, leaving the organization’s security posture vulnerable to chance.