Policy Template for Technology Equipment Handling and Disposal

Technology equipment often contains parts that cannot simply be thrown away due to the fact that it could contain information that anyone outside of the company should not have access to. Thus, this policy defines the requirements for proper handling and disposal of technology equipment at {{organization.name}}.

This document applies to all technology equipment owned by {{organization.name}}.

{{organization.name}} shall ensure that effective controls are in place and are followed across {{organization.name}} to protect the media against:

• Damage

• Theft

• Loss

• Unauthorized access

• Virus attacks

• Inappropriate disposal

All data must be reliably erased and/or destroyed from any electronic device before the device is transferred out of the organization's control or erased before being transferred from one department or individual to another. Failure to do so might pose a significant risk to the organization since data can often be easily recovered with readily available tools. 

In addition, data retention rules including what data will be archived, how long it will be kept, what happens to the data at the end of the retention period (archive or destroy) and other factors concerning the retention of the data shall be established. Data shall not be retained once the retention period is over. An authorization from data owners shall be obtained if retention may be prolonged in the event of an ongoing investigation or inquiries to ensure compliance with any legal obligation.

Protecting Media during Storage

Removable computer media in all forms for all identified critical assets and any critical system documentation in printed form shall be provided safe and secure storage and access to these shall be controlled. 

Fire-resistant safes and/or tamper resistant cupboards shall be used for storing the same.

Protecting media during use

There shall be clearly defined procedures for managing computer media during use and maintenance within {{organization.name}}.

Data disposal

When company hardware reaches the end of its useful life it is dealt with in the following manner:

1. Transferred internally. Typically to the {{organization.name}} QA team. Or any team that can make use of it, or

2. if still in working order but there's no use for it within {{organization.name}} it can be donated/sold to a third party, or

3. if not in working order or no longer useful then it must be responsibly recycled or disposed of.

Before any of these options take place all company data on the hardware must be destroyed and a factory reset performed.

Selection of data destruction methods should be based on the sensitivity of the data being destroyed as well as the media.

When it comes to securely destructing data or disposing of data on hard disk drives (HDDs), or the physical location where the data is stored, the following methods should be considered:

Clearing: Clearing removes data in such a way that prevents an end-user from easily recovering it. This method is suitable for reusing devices inside your organization.

Digital Shredding or Wiping: This method does not alter the physical asset. Instead, it overwrites data with other characters like 1 or 0 and random characters with multiple passes (e.g. DoD 5220.22-M algorithm).

Degaussing: Degaussing uses a strong magnetic field to rearrange the structure of the HDD. Once the HDD is degaussed, it can no longer be used.

Physical Destruction: This method ensures the secure disposal and destruction of HDDs as they are hydraulically crushed or mechanically shredded, so that data can never be retrieved or reconstructed.

For secure data destruction and secure data disposal of data found on solid state drives (SSDs), or the virtual location the data is stored, consider using the following methods:

Built-In Sanitization Commands: This method is effective if the device is to be reused within the organization.

Physical Destruction or Encryption: Using this method is the only true way to ensure device data cannot be recovered.

Other Devices

Confidential Information in the other networking devices and equipment to be disposed of shall be removed beyond retrieval by following best practices pertinent to such devices.

A record of disposal media should be maintained including the media type, the number of items, the labelling of items, the date disposed of, and by whom. 

For handling, e-Waste/Recycling Process, {{organization.name}} should only engage with an approved vendor(s), where the supplier will complete the full process of segregating e-Waste along with considering the environmental impacts/consideration and proven methods accepted by the industry standards on e-Waste/Recycling process. A confidentiality agreement would be signed between {{organization.name}} and the Vendor, before handing over the e-Waste, to avoid non-disclosure of confidential information.

Failure to properly dispose of technology equipment can have several negative ramifications to the {{organization.name}} including fines, negative customer perception and costs to notify constituents of data loss or inadvertent disclosure.