Organizations constantly replace outdated computers and countless types of electronic devices to keep up with technology and enhance worker productivity. This rush to upgrade, however, creates a challenge: large numbers of excess electronics must be managed and disposed of properly.
IT asset disposition (ITAD) requires numerous complex activities: transportation, equipment testing, data destruction, remarketing, de-manufacturing, recycling, and reporting. Activities not outsourced to trusted vendors are too often performed by employees who are given little-or-no guidance from senior management.
When an organization fails to maintain proper oversight mistakes happen. Outsourcing can actually increase the risks and leave organizations with a false sense of security.
Here are the five common mistakes organizations most often make:
- No agreed upon definition of success
- Not following a plan
- Trusting too much
- Not using disposal tags
- Not having contingency plans
Today organizations are unwittingly committing critical mistakes that ultimately undermine their well-intentioned ITAD efforts. Here is how to avoid common mistakes others make.
Find anyone involved with corporate ITAD and ask them to define success. Chances are you will hear a response such as; ‘it depends’ or ‘we make sure there are no issues.’ or ‘what do you mean?’
As with most endeavors, problems arise when there is no clear definition of success, or when members of a team have different definitions of success.
Organizations that formally define success still have problems when individuals are allowed to re-define success based on actual outcomes — retrofitting how success is defined to match the circumstances.
Success should not be subjective. Rather, success should be defined upfront, in advance using SMART criteria (i.e. specific, measurable, assignable, realistic, time-related).
Naturally, definitions success for ITAD may differ slightly for your because every organization has unique priorities. While each organization is unique, two goals that are universal for every ITAD program: chain-of-custody and data destruction.
It is beyond the scope of this paper to outline the exact best definition of ITAD success. It should be noted that it is problematic when individuals or business units interpret vague policies or determine the best course of action without adequate oversight.
Organizations are advised to gain alignment regarding how to account for every retired asset and how to prove no data is accessible in order to ensure there is a clear, agreed-upon definition of success.
Following a Plan
Once the definition of success is clear, an organization must follow a consistent process to achieve success. Having an inconsistent process is the same as not having a process.
Inconsistent processes ultimately lead to inefficiencies and errors. Success demands process disciple. Individuals and business units should not be allowed to wing it. By plan, we are not referring to vendor selection. Of course, vendors may vary by business or region. However, the fundamental processes by which ITAD is managed must be consistent.
When someone is permitted to deviate from the plan, nonconformities can become excuses for not achieving success. It makes it a challenge to determine whether a problem was the result of someone not following the plan, or the result of the (bad) plan itself?
An exact best plan depends on how an organization defines success. Often we receive questions concerning encryption and onsite data destruction regarding ITAD strategies. It is beyond the scope of this paper to outline an exact best plan. That being said, all effective plans ensure legal compliance.
Data security laws mandate that organizations implement “adequate safeguards” – three types of safeguards; technical, physical, and administrative. Regulations also require organizations to minimize segregation-of-duties conflicts. In other words, organizations must implement reasonable measures and actively eliminate opportunities for theft and fraud.
Trust, but Verify
Organizations too often trust employees to work directly with ITAD vendors. Unfortunately, trusting without adequate safeguards does not meet the basic, but critical, requirement of segregation-of-duties. Moreover, trusting exposes organizations to employee theft and vendor fraud.
Sadly, there is a huge incentive that motivates ITAD vendors and employees to hide losses. Naturally, employees and vendors tend to report self-serving interpretations, especially when facts could make them look bad.
Without proper controls and independent verification, management receives heavily distorted information. Only a careful, objective examination of tracking data can confirm chain-of-custody, or reveal potential liability. Executives need to be non-credulous when it comes to ITAD reporting.
There are two basic types of safeguards; preventative and detective. Detective controls are intended to find problems within an organization’s processes. Even when an organization implements adequate safeguards, it is important to test them regularly, especially detective controls.
The US Navy tests detective controls when it practices man-overboard (MOB) drills. When a MOB alarm rings on a ship, every sailor is required to report to a designated muster station. There is no acceptable reason not to assemble. Failing to report in a timely fashion results in harsh discipline.
On large ships, group leaders are tempted to ‘cover’ for a colleague who might be running a little behind. As the sailors rush to muster stations, officers occasionally apprehend an individual sailor preventing them from mustering on-time. These apprehended sailors are deemed MOB. When a MOB is falsely reported at a muster station, the entire chain-of-command may be reprimanded.
Detailing every safeguard required to satisfy compliance requirements is beyond the scope of this paper. Running ‘man-overboard’ drills on retired computers during ITAD projects is certainly a wise precaution. Applying proven incident-response procedures will also help raise awareness of vulnerabilities.
The US Navy takes safeguards and reporting very seriously because of conflicts-of-interest exist. Acknowledging conflicts-of-interest exist with ITAD is the first step towards creating effective policies and adequate safeguards.
Tag it. Track it.
Unbroken chain-of-custody is necessary to indemnify an organization from the downstream risks associated with ITAD. Typically, chain-of-custody is established by manually matching manufacturer serial numbers captured on a vendor inventory. Sounds easy, right? Think again.
In a multi-year study of tracking data, only 47% of serial numbers captured could be matched successfully. In other words, relying solely on serial numbers to achieve chain-of-custody give you have about a 50/50 chance of success.
Disposal tags are a far better way to track assets compared to serial numbers. Instead of a 50/50 chance, disposal tags increase the odds of tracking to 99%. There is a reason airlines tag luggage and furniture movers tag boxes; it works.
There is an added benefit to using tags with ITAD; disposal tags deter theft. Employee theft is the number one risk associated with ITAD. Employees are less likely to steal an asset they know will be missed.
Chain-of-custody is not a catchphrase in a court of law; chain-of-custody evidence is the foundation for indemnification and transfer of liability. Relying solely on serial numbers is silly. Adding a tag improves trackability – two identifiers is better than one.
Tags are simple, easy, and highly effective. Instantly add tags to an existing process. Tags work with any vendor, any size project, anywhere. Tags are a perfect way to prevent problems, save time, and save money.
Plan for the Worst
Mike Tyson famously quipped, “Everyone has a plan until they get punched in the mouth.”
Best laid plans of ITAD often go awry. When they do, don’t get knocked out. Make sure any issue is an incident and not a breach.
Take time to define indemnification. Modify your game plan if you aren’t comfortable with the risks.
If equipment never arrives at an IT disposal vendor’s facility, it will not be properly processed and sanitized. Unfortunately, laptops have legs. The smaller, more valuable an item, the more likely it is to disappear during transportation.
Take the time upfront to spell out the worst-case scenarios and determine how you are covered. Discuss what-if scenarios with your ITAD vendor. Learn how an ITAD vendor will actually protect your organization, or not, should something does go wrong. Ask for specific examples of actual problems they have encountered and to explain how the issue was resolved.
Do your due diligence. Verify upfront that your ITAD vendor understands all the state and local requirements and is adequately insured. There are more than 500 certified electronics recyclers in the US. Not all are equally qualified. It is better to discuss the potential problems upfront than assume anything.
Better ITAD vendors will understand and appreciate your security concerns. Better ITAD vendors will encourage your audit efforts. Better ITAD vendors appreciate the opportunity to take corrective actions to prevent problems before they become a downstream disaster.
Nobody cares about ITAD until everybody cares. Too often everyone cares when it is too late — when an asset is found in the wrong place or is found still containing data.
Reviewing the five mistakes is a perfect way to ensure everybody is on the same page before a crisis happens.
If you have any questions or comments, please let me know.
To your ITAD success,