Challenges of IT Asset Disposition
By Ann Hughes, Director of Sales and Marketing for MRK Group Ltd.
Anyone who has created a corporate IT Asset Management program, or is contemplating one, will tell you that it is challenging to create a successful program. We will explore some of the issues in doing so.
Who should be involved in this process? Who are these stakeholder groups and why do they matter? Do they have competing interests? Let’s explore this. There are several that are obvious. IT Asset Management owns the program and interfaces with all groups, and conveys their requirements to Procurement. Procurement is often responsible for the RFP if the company decides to go this route. Environmental and Risk Management will want to ensure that equipment does not get exported to an undeveloped country where environmental laws are lax or processed in some manner at home which potentially can create an environmental nightmare.
There are environmental regulations that come into play with electronics. Electronics contain heavy metals such as cadmium, lead and mercury that are highly toxic. The environmental group in particular will want to ensure that the equipment is handled properly and not go to a landfill. The last thing your company needs is bad press when it is discovered that your equipment is involved in an EPA cleanup operation.
As data security is the biggest driver of IT Asset Disposition, Risk Management, Compliance and Security are major stakeholders. There are many regulations to consider such as HIPAA, HITECH, PCI, etc. Data breaches are extremely expensive. According to the Ponemon Institute, the average cost of a data breach in the US is $217 per record, and $6.53 million per incident. The largest cost of a breach is loss of business. Other losses may include damaged brands, loss of trade secrets, personnel records, financial information, etc.
Risk assessments play a part in company decisions. Will data erasure before shipping to an ITAD vendor be appropriate or will encryption of devices be sufficient? Is onsite hard drive destruction mandatory? What is the chain of custody? How is equipment staged/stored prior to going to the ITAD vendor? What are the logistics in moving the equipment? The vendor can be a very useful partner and be utilized as a secondary verification of data erasure.
Additional stakeholders will include Finance and Accounting. They require certain data that ITAM can provide when assets are properly tracked. At the time of purchase, assets may come with a maintenance plan. Companies will like to forgo paying maintenance fees on assets they no longer own. Assets no longer owned will also need to be removed from the books in order to eliminate remaining tax liabilities.
Determining what to do with equipment is another challenge. Risk must be balanced against financial considerations. Allowing the ITAD vendor to resell equipment will lower costs and can yield large sums that pay for the entire asset disposition program with funds remaining. Extreme risk aversion will lead to unnecessary costs. For example, is a 7 pass DOD compliant erasure necessary or will a 1 pass be sufficient? Due to the high density of the drives, 1 pass will be sufficient in most cases. Recycling only will yield to higher costs due to continuing low commodity values. Revenues will not be generated to offset the costs of proper handling of assets.
Selecting a vendor can be the biggest challenge of all. According to recent news articles, there have been many electronics recycling and IT asset disposition companies in the past several years who have gone bankrupt, been indicted for fraud, tax evasion, illegal storage and illegal export of equipment. These include firms that have been R2 and e-Stewards certified, industry certifications completed by a third-party for those in the IT Asset Disposition industry who manage end of life computer and other electronic equipment. Both certifications do issue revisions to strengthen the standards and close loopholes to weed out these bad actors.
It is important to look at firms that adhere to Best Practices of the ITAD industry. These are companies dedicated to removing data and environmental risks inherent in final disposition of end of life equipment.
Let’s take a look at what Best Practices means. These will be vendors that protect all data and avoid any data breach. They will include not only hard drives in your typical PC, laptop or server but include hard drives in copiers. Their data erasure processes are compliant with NIST 800-88 and Department of Defense. These types of firms have the capacity to erase multiple drives at a time and have a process for drives that fail such as shredding and serial number capture. They will remove asset tags and any company identifying marks prior to reselling of assets. The vendor will be able to provide FMV (fair market value) for equipment. Their Certificate of Destruction will tie directly to the equipment processed.
When evaluating firms, look for one that is transparent and freely shares information. If it is not forthcoming with answers to your questions, it may not be the best choice. Look for some give and take so that there is a mutually beneficial relationship. This will go a long way when special projects or pricing is needed outside the scope of a standard contract.
Due diligence is a necessity. Various questions need to be asked. What is the company ownership? How long has the company been in business? Has the company been acquired? What is the management turnover? Some of these play into the type of service you will receive. You will experience continuity of service when there is less turnover and disruption. Take a look at the facility. Is work being performed in multiple buildings at the site? Are there multiple sites across the country? What type of security is present? Look for 24/7 surveillance and restricted access.
It is important to also know what types of materials are being handled. Are there hazardous materials in the building, and are the proper permits in place? Who are the downstream vendors? All R2 and e-Stewards certified companies will have evaluated their downstream vendors and know how those various materials are handled.
Other questions include the types of services offered, such as inventorying, data destruction, recycling, remarketing, redeployment, donations, end of lease services and logistics. What are the data security policies of the vendor? What type of training is there for the employees on equipment, tools and processes that they use? There should be a written EH&S plan in compliance with OSHA regulations.
The ideal way to perform due diligence is to personally visit the vendor. Be prepared with questions and perform an onsite audit.
Success comes with preparation. When various stakeholders are involved, due diligence is performed and open dialogue is maintained, the chances of succeeding greatly increase.
This article originally appeared in ITAK.