Asset decommissioning is a resource-heavy and time-intensive process, but you do not have to make it more complicated and riskier by neglecting its physical security component. Thankfully, professional service providers can lend a helping hand with the best industry practices you can apply in this case.
Critical data are now exposed to the countless ways in which their security may be breached as the threat actors grow sophisticated over time. When it comes to cyber security, we hardly think of its more “palpable” component: physical IT security. Yet, reliable reports have shown that no less than 63% of organizations suffered breaches caused by vulnerabilities in their hardware and the way its disposal is managed. Of those, more than half of them have even had a hardware security policy in place. This still did not protect them from the attackers, pointing to the need to rethink whatever went wrong with the practices in place.
There is a suspect hidden here, however, and that is the fact that server and data center decommissioning cannot be taken lightly if the physical security of the entire process is taken as an afterthought. To avoid this worst-case scenario, let’s look at the best practices you can employ to stay on the safer side when performing IT asset disposal.
If you are preparing for asset disposal, the best initial step is to know what you are disposing of. You need to do your homework on drafting inventory lists for each asset that needs such treatment. Once you get the list up & running, you can make it more useful by enriching it with a grid-based map, coordinates, hardware, and software categories. If short on time and/or expertise, you better leave this job to the hands of the professional service provider that will not only track everything down for you but give you a detailed timeline of the process.
You can be proactive in this process and help both yourself and a potential service provider by keeping a neat inventory of all IT assets as time goes on. By doing this, these assets will be made easier to locate down to the level of an individual rack or a cabinet and just as easy to manage once they reach the end of their service life.
Now, you can make this process simpler by resorting to the use of the dedicated IT asset disposition portal systems (ITAD). They will help you record and dispose of these data, stay up to date with the inventory list and streamline the data destruction process for each device it is stored on.
It’s up to you how granular you want to go with this information on IT assets, but going with at least serial numbers, model descriptions and formats is a minimum, together with the information on any potential reuse or redeployment of an individual asset. ITAD providers can do this for you as part of their Sims Lifecycle Services (SLS), with an added option to meet your more specific demands when it comes to what you want to have recorded for your assets.
In any case, SLS portals will support you as a single pane of glass solution for asset tracking and resale, handling requests, reporting, and certification relating to data destruction, etc.
Caging off your servers or whole areas can go a long way in protecting your data storage devices, particularly at sensitive sites such as data centers. You should not be thrifty when it comes to the robustness of these components – they will keep the uninvited parties at bay whenever someone unauthorized tries to access server rooms or IT equipment storage facilities.
Servers often need to be replaced for whatever reason and this is not the time to become lax with security just because you are preoccupied with a more technical side of the operation. You will need storage containers with a lock and key in each storage area and use them to store your HDDs and other storage devices. These containers will also help you with the transport when you single these devices out for data destruction or physical relocation. If your particular circumstances allow it, you can shred or wipe some data before forwarding your assets to an ITAD site for additional treatment.
One of the best practices when it comes to the physical segment of IT asset security is regular on-site destruction of data. This is a mainstay in securing your drives before you physically relocate them from your site. You can also make use of the option to have someone personally observe the physical destruction of hard drives as it unfolds. The rationale is to eliminate any doubt regarding the security of data prior to having your assets removed from the site for the purpose of recycling.
Data destruction is an option if you want your equipment to be reused. In this case, the best practice is to use the services of a professional service provider since media sanitization is a process that encompasses various standards and compliance practices you do not want to skip on. The more famous among these include the North American NIST SP 800-88 r1 standard and the UK’s HMG IA Infosec No5.
Whatever the unique requirements of your specific site, it’s still advisable to get in touch with professionals who can greatly speed up your IT security activities in advance of and during the data destruction operations.
Smart Hands services are designed to tackle more complex tasks that require the physical presence of a team of technicians at the facility to take care of them. These include various configuration tasks, troubleshooting and assessments jobs, etc. In the context of IT asset disposal, a team of ITAD professionals will handle the data destruction tasks and manage the disposing and storing of the designated resources.
What sets the Smart Hands services apart from the use of “vanilla” IT staff is the fact that these services are generally more budget-friendly compared with having a permanently available team on board. Also, if you have an internal IT department, you do not want to burden it with time-consuming and more “niche” tasks all the time.
Smart Hands teams should be available around the clock and tasked with performing data destruction, inventory management, asset resale, asset redeployment, recycling, etc. In addition to having a dedicated external team of professionals you can entrust your assets to, you will have an easier time complying with the existing regulations and environmental protection standards.
Speaking of regulatory compliance, know these may vary wildly, just as the specific circumstances you need to contend with at your site. The problems can arise when the asset disposition needs to take place across various sites, many of which can reside across the globe. To keep track of all regulatory requirements at each of them, having a dedicated ITAD manager or advisor can be a handy strategy for sparing you a headache or two in the future.
In addition to making your ITAD and security better integrated, you will steel yourself against the common challenges associated with IT asset disposal such as neglect, delays, mishandling, etc. This process as a whole will go more smoothly the more you invest in the security controls that need to complement it. And, yes, the first stepping stone on this path is choosing the right service provider for this task.
Standards, compliance, regulations are all good, but they are merely allowing you to become “competent” with what you do when it comes to IT asset disposal. In other words, even if you apply all of the above industry practices, don’t allow yourself to become complacent with your risk minimization efforts. Get in touch with your asset disposal provider and learn how they approach, optimize and build upon these practices and standards at their sites.