It seems that everyone at the moment is talking about the General Data Protection Regulation (GDPR) that will come into force in just over a year; and rightly so with the hefty fines (up to 4% of your annual turnover) that you could suffer if you incur a data breach. With the increasing news stories of companies who have fallen victim to rising data breaches, how can you ensure that you are handling your company’s information correctly? When the time comes to dispose of your retired IT assets, you need to ensure you remain compliant and that you adhere to industry standards.
As a result of the above, the role of those involved in IT, information security and data protection has become increasingly complex. You need to ensure that your redundant IT equipment is disposed of securely, in an environmentally responsible manner and that the data held on your devices is completely destroyed to avoid the risk of a data breach. But what standards and certifications are out there that can be used as a guidance to benchmark against?
The Asset Disposal and Information Security Alliance (ADISA) is a great place to start. They award partners that adhere to the highest industry standards which reflect current best practice for handling data carrying assets. If your IT disposal partner has an ADISA certification you can have reassurance that your IT assets and data are being handled in a compliant manner.
The international ISO 27001 standard is another good foundation to adhere to. ISO 27001 is an information security management certification that ensures the correct security processes are in place when disposing of IT assets and data. Holding this certification demonstrates a vendor’s ability to manage confidential information to the highest security standards.
The ISO 27001 has two main sections that relates to IT Asset disposal.
1. Section A.11.1.2 relates to IT equipment and states that, “all items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use”.
2. Section A.8.3.2: relates to disposal of media and states that, “Media shall be disposed of securely when no longer required, using formal procedures”.
When disposing of your IT assets you must identify which devices contain data. From the obvious PCs and laptops right through to smartphones and printers, you should verify whether or not media is contained within your equipment prior to its retirement. You then need to choose an IT disposal partner that securely destroys the data beyond recovery. This can be achieved using data erasure software like Blancco which ensures data-bearing equipment is erased to the most stringent global standards. Alternatively you can shred the media, such as hard drives, tapes, CDs, DVDs, USBs etc. Shredding media into debris no larger than 20mm in diameter provides guaranteed destruction of the data. A Certificate of Destruction should also be received.
So when you need to retire of your redundant IT assets and data, ensure you pick a fully accredited partner that adheres to both ADISA and ISO 27001 standards to safeguard your data and ensure that you remain compliant.
Contact AMI to learn more on how we securely retire of redundant IT whilst adhering to the highest security standards.