Typically, IT asset disposal isn’t a burning topic that is top-of-mind for CIOs, yet every CIO must be able to address it when asked to describe their Information Technology Asset Disposal (ITAD) program. The presence of a program signals attention to Data Protection; the lack of a program says “data may be at risk when equipment is recycled.” No CIO wants to encounter the latter; every CIO wishes to be associated with “data protection” though it may be a false-positive if the program does not include an auditable chain of custody/data destruction.
Can you, the CIO, or the person in charge of your ITAD program, describe how each device provisioned and issued within your company is tracked, how the data on the device is accounted for, and when and how that device is removed from the company’s ecosystem in a way that ensures the data is protected and secured?
An Identified Threat Vector
The Cyber and Infrastructure Security Agency (CISA), who works with entities to help defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future, included ITAD as an identified threat vector in its guidance on defending against software supply chain attacks. Every entity needs an ITAD program, and the program must ensure that all devices are wiped clean of any data. The harsh reality is many don’t, and they have no auditable or visual chain of custody involving data and devices, which can lead to severe fines and penalties for your entity.
OceanTech has a strong commitment to the security of our client’s confidential information. During the entire process, we track and catalogue your assets. Once the data destruction has been successfully completed, OceanTech will issue a Certificate of Data Destruction to the client that details to make, model, and serial number of each asset that has been secured, sanitized or destroyed.
Risk Mitigation
OceanTech provides superior expertise in mitigating our client’s risk by eliminating environmental liabilities and ensuring complete data security. Our IT asset disposal procedures follow very strict processes to increase your level of security and lower any potential risk, eliminating the possibility of a security breach.
As the top ITAD company, our process exceeds all local, federal, and international standards and data destruction regulations. We comply with R2 standards for data security, which means that absolutely no data may leave our secure facility without first being overwritten, sanitized or physically destroyed.
At OceanTech, we utilize a patent-pending wiping solution that is consistent in all of our data sanitation and data destruction processes. OceanTech guarantees that sensitive data is non-recoverable. We are extremely confident in our guarantee – we regularly perform Quality Control checks by sending randomly selected equipment to OnTrack for expert recovery attempts and they have yet to recover any data on any device sent by us for testing.
Third-Party or In-House ITAD
The question for a CIO is not, “Do I need an ITAD program?” You do. Not only do you need a program, but your program must ensure it includes 100% of devices that are company-owned, as well as those that are employee/contractor owned (BYOD) and have company/customer data residing on them.
The decision to build an ITAD program in-house or hire outside expertise is unique to each organization, but whichever path is taken, it must be abundant with checks and balances to ensure verifiable integrity of the ITAD process and prevent any device from departing the ecosystem with data on board.
