IAITAM Warns of Growing “Low-Tech Breach” Danger in Absence of Proper IT Asset Disposal Procedures

Not All Breaches Are Due to Rogue Employees and Highly Skilled
Outsiders … Sometimes the Breach Is Literally Found in the Garbage.

CANTON, Ohio–(BUSINESS WIRE)–As companies invest billions of dollars in increasingly expensive
personnel and systems to frustrate breaches that originate inside and
outside of their organizations, many are overlooking a more obvious fix:
the institution of IT Asset Disposal (ITAD) process as part of a formal
IT Asset Management (ITAM) program, according to a warning issued today
by the International Association of IT Asset Managers (IAITAM).

The modern business world runs on a rapidly expanding pool of IT assets.
At the same time, companies tend to look at some combination of employee
errors, rogue employees, errant third party vendors, and outside hackers
as the most likely sources of breaches. But the truth is that
a company without a rigorous ITAD program runs the risk of a breach from
a much simpler problem: a piece of hardware that was either not properly
tracked to begin with or stops being tracked before its final
disposition is confirmed.

IAITAM President and CEO Dr. Barbara Rembiesa said: “The whole idea
behind ITAD is simple: If you buy a piece of hardware you need to
track it and be aware of it from the moment you acquire it until its
destruction or other handling is confirmed. If you can buy it,
you can track it. A company can throw all the billions it wants
at CIOs, cybersecurity divisions and the like, but if it does not have
ITAM procedures in place, it is not secure. Absent or incomplete ITAD
procedures are problems that grow each year as the business world’s
reliance on technology grows.”

Countless
examples exist of improper ITAD practices and the impact that they
had on their organizations:

• Frauds pretend to be following the EPA requirements for disposal of
  electronic scrap and the device is then discovered in a landfill in a
  developing nation;
• Data thieves steal equipment right from a slipshod disposal vendor’s
  truck en route; and
• Forgotten hard drives disappear from unsecured storage closets.

ITAD is defined as “the business built around disposing of obsolete or
unwanted equipment in a safe and ecologically-responsible manner.” Best
practices vary depending on organizational size, type of business,
whether the assets are leased or owned, and other factors.

Recommended
ITAD actions include:

• Choosing the correct disposal vendor: Remember that the organization
  that owns the equipment is responsible for both its actions as well as
  their vendor’s actions. The vetting process is paramount to
  maintaining data security, avoiding data breaches, bad press, and
  financial losses.
• Services should include secure pick up, delivery, and disposition
  documentation: Disposal security insulates the organization from
  theft. The best way to properly mitigate the liability is to conduct
  fundamental practices such as researching and using a reputable vendor.
• Certified data drive sanitation or destruction: Data drives should be
  wiped by the originating organization before they leave its site. The
  drives are wiped again by a disposal vendor and certified as cleaned
  and/or destroyed per the requirements of the organization. Some
  organizations use various industry standards such as the DoD or COBIT
  disposition standard. A COD (Certificate of Disposal) should be
  provided.
• Remarketing all viable equipment: Assets that are less than four years
  old commonly have resale value. Many reputable disposal companies are
  proficient in an asset valuation process.
• Compliance reporting: Compliance reporting, whether done manually or
  automated, is critical to providing evidence to auditors. If devices
  are not being tracked through such a reporting process, they are prime
  candidates for going astray.
• Program and policy development for asset disposal: A formal ITAD
  process as part of a full-blown ITAM program is necessary for any
  organization that is serious about proper control of its IT assets
  from the moment that they arrive until the time of their eventual
  disposal.

ABOUT IAITAM

The International Association of Information Technology Asset Managers,
Inc., is the professional association for individuals and organizations
involved in any aspect of IT Asset Management, Software Asset Management
(SAM), Hardware Asset Management, Mobile Asset Management, IT Asset
Disposition and the lifecycle processes supporting IT Asset Management
in organizations and industry across the globe. IAITAM certifications
are the only IT Asset Management certifications that are recognized
worldwide. For more information, visit www.iaitam.org,
or the IAITAM mobile app on Google Play or the iTunes App Store.

Contacts

Whitney Dunlap, (703) 229-1489 or wdunlap@hastingsgroup.com.