How do you build a comprehensive IT Risk Management program that includes the right internal stakeholders who can identify the equipment, systems and vendors that collect and store your company data?
Realistically, this breadth of knowledge is beyond the information technology department because it’s no longer the obvious devices: computers, tablets, servers, hard drives and USB drives. Now it’s IoT-enabled equipment, outsourced services, kiosks, ordinary office equipment and the myriad of ad hoc memory retrofits and upgrades to existing equipment.
And they all need a data destruction plan.
“30% of all data breaches come from not properly disposing of assets”Gartner Research
IT isn’t solely responsible for IT Risk Management
To gain that 360-degree view of data generation, accumulation, storage and dispersal, it may involve more than the usual suspects. Consider these departments and personnel that have knowledge of what is bought, in use, in storage, on loan or on the horizon:
1. Information Technology
The Chief Information Officer attends to all information and computer technologies. As such, the CIO and IT department focus on ensuring that computers, devices and machines improve business processes and function with little downtime and protection against malware and cyberattacks.
IT departments are often in charge of IT asset refreshes working with VARs and purchasing departments. This trio of specialists should have ample documentation and software tools to track equipment purchasing, replacement parts like new hard drives and all associated serial numbers.
IT also has the responsibility to securely unenroll any MDM (Mobile Device Management) that auto provisions, deploys and “locks” company computers so that hard drive erasure and hard drive shredding aren’t superfluous.
2. The Chief Finance Officer (CFO)
The primary role of the CFO is to establish budgets and assure the availability of funds for the purchase of equipment and fulfillment of services. A line item for data destruction, whether standard onsite hard drive shredding or a box program that includes remote hard drive erasure and then secure IT packing and shipping for remarketing, refurbishment, recycling or redeployment. Whether it’s laptop turnover, copier leases or a data center consolidation, data destruction is a budgetary line item across multiple departments.
3. Purchasing and Receiving
The best way to know what is going out and needs data destruction is by starting with what is coming in. Every item, system, machine, device and vendor goes through procurement. This department is the primary source for recording all incoming serial numbers including replacement parts and upgrades to standardized or older equipment.
And, what’s leaving and in-transit? Is there a secure IT logistics plan including full chain of custody planning? Are computers and smart devices shipped with live data? Or sitting in an unprotected, unsecured area (like a loading dock or a cardboard box in a cabinet) waiting for processing?
Corporate attorneys are responsible for understanding the regulations and liabilities for data destruction pertaining to your industry. Ensuring that your company’s data destruction plan includes all devices and adheres to (or exceeds) minimum standards is the baseline. Collecting accurate and timely documentation of all serial numbers, data destruction from NAID AAA certified providers, chain of custody and recycling protects your company and brand from sloppy processes and procedures.
5. Equipment Planners and Facilities
Equipment and devices that are networked and IoT-enabled are potential liabilities when they reach end-of-life, stored or relocated. Educating these specialists or employees so that they can flag memory storage or sharing as an operational function creates a broader list of potential data destruction candidates while reducing risk of an accidental data breach. Don’t forget to consider offsite data-sharing machines and locations like kiosks, scanners, rental cars, registers and retail stores.
6. Data Center Managers and Technicians
Whether or not it’s part of IT or an outsourced service, data centers are an obvious center of data management, storage and backups involving racks and racks (or collective miles) of servers. Understanding server configuration (almost never standardized) including upgrades and expansions will absolutely contribute to a more accurate list of assets that need data destruction. Don’t forget backups. They’re essential as an emergency option but must be counted when suppliers or backup protocols change.
7. ESG Stewards, Sustainability and Recycling
Count on these departments to be the guardians of ethical repurposing, donating and recycling. They’ll understand the importance of ensuring that personal and private data does not leave any facility and impact the efficacy and reputation of their environmental and community-based programming.
Successful IT Risk Management is an enterprise-wide effort
When all these professionals are purposefully involved in identifying anything “smart” with the goal of building a comprehensive data destruction process, the risk of a data breach, a compromising situation or an embarrassing mistake is far less likely. This group of aware stakeholders not only provides an all-inclusive, fully-covered plan for risk reduction but creates a foundation for increasing accuracy as data needs, data storage form factors and end-of-life processes change.
More learning resources
We’re focused on helping customers seal off opportunities for malicious, unauthorized data breaches.
- Asset Checklist for your IT Risk Management Plan
- How IT Asset Managers can Prevent Data Breaches (a recorded IAITAM 2022 session)
- 30 common places your company data is stored (and waiting for a breach).
Don’t leave a shred of data behind. Sign up to receive data destruction news.
Talk to us about your needs and concerns. If you like forms, contact Guardian here. Or give us a call at 888-556-9473. We can give you helpful advice or refer you to a local ITAD or VAR.