IT Asset Management – Disposal of Assets

As we reach the end of this asset management blog series, we have discussed the need for establishing governance policies and procedures, how to acquire hardware and software for your organization, and how to monitor and upgrade assets throughout their lifecycles. The final blog post in this series will cover how to dispose of assets once they have reached the end of their usability or lifecycle.

Throughout the lifecycle of an asset, upgrades are introduced, newer and better products become available on the market, and decisions must be made on whether to maintain the asset or part ways for a different product. Once an asset has reached then end of its usability for an organization, the final step of the asset management process must take place: properly disposing of the asset.

During the lifecycle of the asset, it is monitored, patched, upgraded, and tracked to ensure that it is being utilized to its full potential. Once an asset is identified as needing to be disposed of, the asset should be tracked up until it is properly disposed of. This could mean that hardware is taken offline, inventoried for IT asset disposal, and stored securely for an extended period until proper disposal occurs. It is important that these assets are still tracked to ensure that items do not leave the organization without proper approval and possible organizational data is not leaked or disclosed to unauthorized personnel.

Once an asset is marked for disposal, all data should be securely sanitized from the device following NIST Special Publication 800-88 Revision 1, “Guidelines for Media Sanitization”. Within this publication, NIST outlines the different types of sanitization to consider using, provides a sanitization checklist, and provides a sanitization and disposition decision flowchart:

The need for media sanitization and methods to conduct it should be identified and developed prior to the disposal phase of the asset. At the start of the asset management process, media sanitization controls should be developed, documented, and understood by necessary personnel prior to deployment. A major factor that will affect the ability to conduct sanitization is choosing what assets will be used for within the environment. Although this is mostly a business decision, asset owners must understand early on that this decision affects the types of resources needed for sanitization throughout the rest of the life cycle. After sanitization and disposal has been completed, documentation should be maintained by the organization for a minimum of one year. This documentation will help in the event your organization is audited, or if a question arises on the status of an asset.

Hopefully you enjoyed all four parts to this asset management blog series! If you did not get a chance to read the entire series, links to each part can be found below. Compass IT Compliance has spent the past decade assisting organizations with their IT security and compliance challenges. Our team of highly certified experts have built and managed numerous asset management programs for companies of all sizes. Contact us today to learn more and discuss your unique situation!

Part 1: IT Asset Management – Governance Policies & Procedures

Part 2: IT Asset Management – Acquisition of Assets

Part 3: IT Asset Management – Monitoring and Maintaining Assets

Part 4: IT Asset Management – Disposal of Assets