Your First Step in Managing a Secure IT Asset Disposition Program
49.8 million metric tons of e-waste was estimated to be produced this year globally, with the majority being smaller devices. As an IT manager do you know where all your corporate IT assets are used and stored? Are you confident in your IT asset inventory management infrastructure as it stands? If your answer is no, keep reading.
The average cost of a data breach globally has risen to $3.86 million (€3,335,426). Keeping a close watch on all IT devices will help you manage their use and disuse and will become the backbone of your IT asset disposition (ITAD) program. It will highlight areas of risk, threats and vulnerabilities making them easier to address.
In order to maintain a useful list your IT asset inventory list should,
- Define ownership: Assign owners to each IT asset and define acceptable use to each owner.
- Track value: Understand accurate value of equipment which can be useful for tax purposes, and managing or controlling IT assets.
Whether you have a good system already or need to start from scratch, here are some recommendations to help you manage a strong IT asset register.
1. Start Somewhere: Determine if you already have an existing list.
Generally when working on an information security management project you start with a risk assessment. In any risk assessment you go through the act of building an IT asset inventory list, so this could be a list you can start with.
Many use their IT asset management software or ERP inventory system to generate their initial list of IT assets. All IT assets must be identified together with their owners. *Keep in mind IT assets not on the network may not be detected but should still be considered.
Take it a step further. If you are starting an IT asset inventory list from scratch, you can meet with departmental heads and obtain (or work with them to create) a list of all their software’s installed, employees working in each department, and equipment on the network used by each employee.
Unless this list is validated with a complete physical inventory and cross-checked thoroughly for inconsistencies, errors are introduced before the ITAD process begins. Without validation, it is almost impossible to fully reconcile IT asset tracking through final disposition.
2. Maintain: On an ongoing basis update your list.
Corporate Risk Managers should have access to an accurate and dynamic inventory of when and how each IT asset is disposed of and data destroyed. Common tracking identifiers used in cross referencing inventory include make, model, serial number and asset tag.
IT asset registers should keep track of,
- Name – To easily identify the asset.
- Device type – To describe what the item is (i.e. desktop, laptop).
- Location – To locate the device, if needed.
- Description – To understand specifications of the device (make, model, serial number, asset tag and operating system)
- Value and depreciation – To track asset value over time. (What it was bought for, original purchase price, accumulated depreciation and current book value).
- Other – i.e. purchase date, ownership status, licensed software, leased equipment, warranty.
3. Verify: These inventory lists should be cross-checked with the physical item.
The best registers are those kept up to date. Physical confirmation of devices will provide you with a higher level of accuracy. In a study, 33 percent of fixed assets that were not on an inventory list, were not verified and added. Maintaining and verifying IT assets takes a lot of effort to manage, but will become the backbone of your IT asset disposition program.
There are many useful ways this list will benefit you. For example, you may need an IT asset list for your insurer. Or, if you want to hire external IT support they will want to know exactly what equipment you have and its condition. If something breaks and you want to know whether it is under warranty, your asset list will tell you.
When your IT assets are in need of disposition this list will be requested by your electronics recycling or ITAD vendor. This should provide the quantity, type, location and condition of all items and can make it an easier process to determine logistics and pricing to complete the IT asset disposition and electronics recycling processes necessary.