IAITAM Warns of Growing “Low-Tech Breach” Danger in Absence of Proper IT Asset Disposal Procedures

Not All Breaches Are Due to Rogue Employees and Highly Skilled
Outsiders … Sometimes the Breach Is Literally Found in the Garbage.

CANTON, Ohio–(BUSINESS WIRE)–As companies invest billions of dollars in increasingly expensive
personnel and systems to frustrate breaches that originate inside and
outside of their organizations, many are overlooking a more obvious fix:
the institution of IT Asset Disposal (ITAD) process as part of a formal
IT Asset Management (ITAM) program, according to a warning issued today
by the International Association of IT Asset Managers (IAITAM).

The modern business world runs on a rapidly expanding pool of IT assets.
At the same time, companies tend to look at some combination of employee
errors, rogue employees, errant third party vendors, and outside hackers
as the most likely sources of breaches. But the truth is that
a company without a rigorous ITAD program runs the risk of a breach from
a much simpler problem: a piece of hardware that was either not properly
tracked to begin with or stops being tracked before its final
disposition is confirmed

IAITAM President and CEO Dr. Barbara Rembiesa said: “The whole idea
behind ITAD is simple:
If you buy a piece of hardware you need to
track it and be aware of it from the moment you acquire it until its
destruction or other handling is confirmed.
If you can buy it,
you can track it.
A company can throw all the billions it wants
at CIOs, cybersecurity divisions and the like, but if it does not have
ITAM procedures in place, it is not secure. Absent or incomplete ITAD
procedures are problems that grow each year as the business world’s
reliance on technology grows.”

examples exist of improper ITAD practices
and the impact that they
had on their organizations:

  • Frauds pretend to be following the EPA requirements for disposal of
    electronic scrap and the device is then discovered in a landfill in a
    developing nation;
  • Data thieves steal equipment right from a slipshod disposal vendor’s
    truck en route; and
  • Forgotten hard drives disappear from unsecured storage closets.

ITAD is defined as “the business built around disposing of obsolete or
unwanted equipment in a safe and ecologically-responsible manner.” Best
practices vary depending on organizational size, type of business,
whether the assets are leased or owned, and other factors.

ITAD actions include

  • Choosing the correct disposal vendor: Remember that the organization
    that owns the equipment is responsible for both its actions as well as
    their vendor’s actions. The vetting process is paramount to
    maintaining data security, avoiding data breaches, bad press, and
    financial losses.
  • Services should include secure pick up, delivery, and disposition
    documentation: Disposal security insulates the organization from
    theft. The best way to properly mitigate the liability is to conduct
    fundamental practices such as researching and using a reputable vendor.
  • Certified data drive sanitation or destruction: Data drives should be
    wiped by the originating organization before they leave its site. The
    drives are wiped again by a disposal vendor and certified as cleaned
    and/or destroyed per the requirements of the organization. Some
    organizations use various industry standards such as the DoD or COBIT
    disposition standard. A COD (Certificate of Disposal) should be
  • Remarketing all viable equipment: Assets that are less than four years
    old commonly have resale value. Many reputable disposal companies are
    proficient in an asset valuation process.
  • Compliance reporting: Compliance reporting, whether done manually or
    automated, is critical to providing evidence to auditors. If devices
    are not being tracked through such a reporting process, they are prime
    candidates for going astray.
  • Program and policy development for asset disposal: A formal ITAD
    process as part of a full-blown ITAM program is necessary for any
    organization that is serious about proper control of its IT assets
    from the moment that they arrive until the time of their eventual


The International Association of Information Technology Asset Managers,
Inc., is the professional association for individuals and organizations
involved in any aspect of IT Asset Management, Software Asset Management
(SAM), Hardware Asset Management, Mobile Asset Management, IT Asset
Disposition and the lifecycle processes supporting IT Asset Management
in organizations and industry across the globe. IAITAM certifications
are the only IT Asset Management certifications that are recognized
worldwide. For more information, visit www.iaitam.org,
or the IAITAM mobile app on Google Play or the iTunes App Store.


Whitney Dunlap, (703) 229-1489 or wdunlap@hastingsgroup.com.

error: Content is protected !!