IT Asset Decomissioning Policies: 7 Questions You Need to Ask

A decommissioning policy is important for many reasons.  It helps you maintain compliance with local, state, and federal regulations.  It creates an efficient process for your IT department, and most importantly it can save you from a costly data breach.  Creating the policy can be difficult as there are many aspects that must be taken into consideration.  Below are 7 things that should be considered when you are defining your company’s decommissioning policy:

1. What are the legal requirements and environmental regulations in your municipality and state?
2. All disposition procedures for retired IT assets must adhere to company-approved methods.
3. The policy needs to apply to the proper disposition of all non-leased IT assets.  This includes company-owned surplus hardware, obsolete hardware such as PC’s, printers, hand held devices (PDA’s, cell phones, tablets, etc), servers, hubs, switches, routers and so on.
4. What privacy regulations do you need to be compliant with? HIPAA (healthcare), HITECH, Sarbanes-Oxley, Gramm Leach Bliley, PCI (retail), etc.
5. What is the nature of your operation, and what type of data needs to be protected?  Will you require onsite data destruction or onsite data sanitization?  Are there currently data destruction practices in place, and if so are they effective/compliant?
6. Who will be involved in the process and held responsible? Who will maintain and oversee the policy?  What individual or department will be held accountable for the protection of confidential data?  Most of the liability and coordination can be handled by a certified data destruction/ITAD vendor.
7. As for the final disposition of assets (after compliant data wiping) it is imperative that there is a procedure put in place for their disposal, reuse, or resale.  If leaving your facility all property tags or identifying labels must be removed from the hardware and recorded.  The serial numbers of the decommissioned hardware should also be recorded.  The use of an certified 3rd party vendor is highly recommended because they will have those processes already in place and will be able to support a project of any size.

One of the most important reasons for establishing and implementing a decomissioning policy is to mitigate your organizations risk of a data breach.  But, it also helps to define employees roles in the process and establishes accountability.  The use of a 3rd party vendor will make the policy creation step alot easier but they will also help by taking over a large part of the liability.  Make certain to work closely with your current vendor or find a properly certified vendor to ensure that this policy is executed correctly.