When you hand over your data to your chosen IT disposal partner, do you know where it actually ends up? Does your IT disposal partner have a contract with you? When they collect your equipment does it go straight to their processing facility?
These are the questions you should be asking your IT disposal partner. Once your data holding media has been removed from its normal operating environment, your data is subjected to a greater risk, than when it was securely operating within your network. The disposal process should be as secure as your live process, a poorly planned process or a poorly chosen processor can increase the risk of a data breach. Once the equipment and data leave your site, the security is now out of your control.
Storage media risks during the disposal process need addressing before we get to the “just get someone to take it away, and I’m not paying” stage. Is there any potential value to the data stored on your old machines? Understanding the costs of data sanitisation is something that should be considered as early as the procurement process.
Use a trusted third party to complete the disposal process, inspect their procedures and facility. Ensure they work to and can maintain recognised standards. Verify your data has been sanitised, check the software and hardware they use to destroy your data. Obtain destruction certificates, check out the validity of these certificates. Are they laid out on a standard word document from Dave’s Disposals stating “Distrukshun Dun” or does it provide a strong paperwork trail with serial, model and assets numbers recorded?
Having a strong disposal process in place before the equipment leaves your site will minimise the risks to your data during the disposal process. Choosing a processor on price alone may not supply the security or guarantees to redundant data you expect. Giving responsibility to someone within your organisation who understands the value your data has in the wrong hands should ensure you have a secure disposal process in place before it starts.