What happens to old agency IT once it has reached the end of its lifecycle? This requires serious consideration as all too often, agencies are not able to sufficiently answer questions about how their IT is disposed. Questions like:
Do you know where IT goes?
Do you know how IT gets there?
Do you have proof that IT is gone?
If even one of these questions is not properly addressed, an agency could be exposing itself to unnecessary risk.
Despite the dire need for electronic waste (e-waste) reform, the problem is worsening. A New York Times article highlights the growing problem, revealing that e-waste has become the world’s fastest growing trash stream. Barely 20% of the world’s total e-waste is being properly disposed. The White House has echoed this concern in its “Planning for Federal Sustainability in the Next Decade” executive order, which calls on agencies to “dispose of all agency excess or surplus electronic products in an environmentally sound manner.” This is clearly a pressing concern.
Data security risks
The improper disposition of e-waste is not just an environmental issue, security is also critical. In Special Publication 800-88, NIST states, “the efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data.” As the publication also points out, dumpster diving for old, discarded government laptops, cell phones and other IT assets that have not been properly disposed of or cleaned can be a rich source of illicit information. Agencies need to make sure that they are disposing of old IT assets without increasing risk.
This starts with having a clear strategy for securely destroying, recycling or repurposing IT equipment. At a high-level, it also requires:
Proper logistics — a standard process is needed to securely identify and transport IT assets destined for destruction.
Chain of custody — agencies need to be able to track assets from preparation to destruction with an auditable workflow.
Secure transportation and storage — the ability to move assets in “locked down” vehicles and log/store those assets in vaults while waiting for destruction is of utmost importance.
Safe disposition — finally, agencies need the capability to completely erase and degauss the data stored on each asset.
Taking the burden off agencies
According to the New York Times article, worldwide accumulation of e-waste is expected to hit 57 million tons by 2021. The problem is, we tend to throw our e-waste into landfills because it is the easiest thing to do. This demands greater education and ease-of-access to environmentally responsible resources for disposing of IT assets. Agencies need to be aware of responsible options that are environmentally sustainable, while still being convenient.
In order to accomplish this appropriately, agencies should follow the e-Stewards Standard, which requires:
All data to be destroyed
Responsible downstream management of all toxic materials
Legal and responsible exports
Best practices to protect workers and the environment from toxic e-waste
As agencies continue to modernize, they will need to retire more legacy IT assets. To ensure that this outdated equipment is being responsibly and securely disposed of, agencies should focus on establishing secure, replicable procedures for easily remarketing or destroying and disposing old IT assets.
To stand this up, agencies should give serious consideration toward their approach — will disposition processes be handled internally, or through an external partner? Does it make more sense to dispose of records on- or off-site?
Chain of custody
Whatever approach agencies decide to use, one of the most important factors will be chain of custody. Rigorous chain of custody processes track assets from preparation to destruction and are imperative for answering the important questions about IT — where it resides, how it is transported and how and when it should be properly disposed of. For agencies to establish a thorough chain of custody, they will first need to perform a comprehensive internal audit of owned IT assets. This audit should include every IT asset, scanning it into an internal tracking system that will serve as the foundation for chain of custody throughout the asset’s lifecycle. This way every asset is assigned a unique tracking number and can be tracked as it moves from destination to destination. In addition to providing security, this also ensures workflows are compliant and auditable.
Once agencies have entered their IT assets into the tracking system and identified assets eligible for disposition, they are ready to prepare their assets for on- or off-site disposition. Agencies will need to completely rid their assets of information — deleting any remaining data from media and hard drives and rewriting those drives, as well as degaussing tape records. These practices ensure that confidential data is not obtainable by reconstructing the wiped data.
Recycling and remarketing
A big part of disposing of old media is minimizing the environmental impact. This means agencies should be considering recycling and remarketing whenever possible. For recyclable materials, electronic equipment is de-manufactured into commodity categories and then recycled in an eco-friendly manner that avoids harmful practices.
As an alternative to recycling, one of the most economically-savvy options is to remarket old IT assets. Remarketing end-of-life IT assets allows agencies to recover operating capital while reducing e-waste. Not only does remarketing address the many environmental and security concerns associated with disposing of old IT assets, it also gives agencies an efficient way to lower their total cost of ownership.
When it comes to throwing out old IT assets, agencies need to give real thought to their current processes and what environmental and security impacts are implicit in those processes. Establishing set processes that include comprehensive chain of custody will help agencies to keep their old IT assets secure, while recycling and remarketing minimizes environmental impacts.
Alex Sisserson is a product manager for Iron Mountain Government Solutions.