Federal IT modernization requires proper legacy IT asset disposition

A comprehensive IT asset disposition (ITAD) program needs to be part of every agency's overall data and records management strategy.

The Senate Homeland Security and Governmental Affairs Committee approved legislation to advance the federal government's technology modernization efforts. Known as the Legacy IT Reduction Act, the bill will require agencies to develop an inventory of legacy IT systems as well as write modernization plans to update or dispose of those systems. The Act reinforces longstanding federal data privacy and security requirements across the information management lifecycle, and it provides a pathway to eliminate old IT equipment that runs much of the government today. 

As data-bearing IT assets—laptops, PCs, servers, printers, and mobile devices—become outdated or reach the end of their useful life, agencies need to ensure each individual asset is taken care of in a secure and sustainable way. This will protect personally identifiable information (PII), intellectual property, and national security information.  

Security and privacy threats from improper ITAD

As federal agencies move forward with their ITAD programs, they must consider several issues that can arise from both an agency and third-party vendor perspective. These include:

• Negligence. It is both costly and time-consuming to destroy data-bearing IT assets, which often results in not adhering to regulations when disposing of IT equipment.

• Human error. Internal employees or ITAD service providers cannot tell if data was properly sanitized simply by looking at the media on which it resides.

• Improper handling. If the chain-of-custody is not verifiable, there is no way of knowing for sure whether equipment was diverted to a secondary market, landfill, or elsewhere.

• Environmental damage. If retired IT assets are not properly handled in an environmentally compliant manner, the agency faces incremental risk for fines, penalties, and possible reputational harm. Focusing on meeting sustainability goals cost-effectively allows equipment to be managed in ways that reduce greenhouse gas emissions, cut pollution, and save energy and resources.

The case for outsourced ITAD

Looking at the abundance of things that could go wrong, outsourcing an ITAD program to an industry-leading third-party vendor with expertise in IT asset lifecycle management can help agencies more effectively dispose of legacy assets while ensuring the security and privacy of the information that resides on those assets. Agencies have traditionally performed ITAD as point-in-time projects, which come at higher prices than an established program. Third-party disposition of assets is cost-effective due to economies of scale and can help long-term budgeting. Additionally, a comprehensive program can result in avoidance of fines and other costs associated with mismanaged ITAD.

A proper program should be viewed as a data security and environmental sustainability investment that adheres to a structured approach, including:

• Identifying sensitive data. Understand which agency assets contain sensitive data and where these key assets are located.

• Establishing policies and procedures. Implement consistent programs throughout the organization and monitor for compliance. It is crucial that all employees understand the policies and procedures.

• Focusing on secure chain-of-custody. Rather than a one-size-fits-all approach to processes and data sanitization methods, focus on security tailored to the nature of the data that includes tracking mechanisms to follow an asset from pickup to destruction.

To learn more, download our whitepaper IT Asset Disposal the Right Way: Prevent a Data Breach, where we provide insights on ways to create an effective ITAD program to move to a modern technology environment.