Free Hardware And Electronic

Media Disposal Policy Template

Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.

Author: Rich Selvidge, CISSP / Last Updated: 8/11/22

Reviewed By: Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Definitions

Beyond reasonable repair: Refers to any and all equipment whose condition requires fixing or refurbishing that is likely to cost as much or more than total replacement.

Chain of Custody (CoC): Refers to the chronological documentation of the custody, transportation, or storage of evidence to show it has not been tampered with prior to destruction.

Disposition: Refers to the reselling, reassignment, recycling, donating, or disposal of IT equipment through responsible, ethical, and environmentally sound means.

Non-leased: Refers to any and all IT assets that are the sole property of {COMPANY-NAME}, that is, equipment not rented, leased, or borrowed from a third-party supplier or partner company.

Obsolete: Refers to any and all equipment that no longer meets requisite functionality.

Surplus: Refers to hardware that has been replaced by upgraded equipment or is superfluous to existing requirements.

Overview

Hardware and electronic media disposition is necessary at {COMPANY-NAME} to ensure the proper disposition of all non-leased {COMPANY-NAME} IT hardware and media capable of storing member information. Improper disposition can lead to potentially devastating fines and lawsuits, as well as possible irreparable brand damage.

Purpose

{COMPANY-NAME} owned surplus hardware, obsolete machines, and any equipment beyond reasonable repair or reuse, including media, are covered by this policy.

Where assets have not reached end of life, it is desirable to take advantage of residual value through reselling, auctioning, donating, or reassignment to a less critical function. This policy will establish and define standards, procedures, and restrictions for the disposition of non-leased IT equipment and media in a legal, cost-effective manner.

{COMPANY-NAME}’s surplus or obsolete IT assets and resources (i.e. desktop computers, servers, etc.) must be discarded according to legal requirements and environmental regulations through the appropriate external agents and {COMPANY-NAME}’s upgrade guidelines.

All disposition procedures for retired IT assets must adhere to company approved methods.

Policy Details

coordinated by {COMPANY-NAME}’s IT Department. The IT Department is responsible for backing up data from IT assets slated for disposition (if applicable) and removing company tags and/or identifying labels. IT is responsible for selecting and approving external agents for hardware sanitization, reselling, recycling, or destruction of the equipment. IT is also responsible for the chain of custody in acquiring credible documentation from contracted third parties that verify adequate disposition and disposal that adhere to legal requirements and environmental regulations.

It is the responsibility of any employee of {COMPANY-NAME}’s IT Department, with the appropriate authority, to ensure that IT assets are disposed of according to the methods in the Hardware and Electronic Media Disposal Procedure. It is imperative that all dispositions are done appropriately, responsibly, and according to IT lifecycle standards, as well as with {COMPANY-NAME}’s resource planning in mind. Hardware asset types and electronic media that require secure disposal include, but are not limited to, the following:

• Computers (desktops and laptops)
• Printers
• Handheld devices
• Servers
• Networking devices (hubs, switches, bridges, and routers)
• Floppy disks
• Backup tapes
• CDs and DVDs
• Zip drives
• Hard drives / Flash memory
• Other portable storage device