Previous
Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.
Author: Rich Selvidge, CISSP / Last Updated: 8/11/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Beyond reasonable repair: Refers to any and all equipment whose condition requires fixing or refurbishing that is likely to cost as much or more than total replacement.
Chain of Custody (CoC): Refers to the chronological documentation of the custody, transportation, or storage of evidence to show it has not been tampered with prior to destruction.
Disposition: Refers to the reselling, reassignment, recycling, donating, or disposal of IT equipment through responsible, ethical, and environmentally sound means.
Non-leased: Refers to any and all IT assets that are the sole property of {COMPANY-NAME}, that is, equipment not rented, leased, or borrowed from a third-party supplier or partner company.
Obsolete: Refers to any and all equipment that no longer meets requisite functionality.
Surplus: Refers to hardware that has been replaced by upgraded equipment or is superfluous to existing requirements.
Hardware and electronic media disposition is necessary at {COMPANY-NAME} to ensure the proper disposition of all non-leased {COMPANY-NAME} IT hardware and media capable of storing member information. Improper disposition can lead to potentially devastating fines and lawsuits, as well as possible irreparable brand damage.
{COMPANY-NAME} owned surplus hardware, obsolete machines, and any equipment beyond reasonable repair or reuse, including media, are covered by this policy.
Where assets have not reached end of life, it is desirable to take advantage of residual value through reselling, auctioning, donating, or reassignment to a less critical function. This policy will establish and define standards, procedures, and restrictions for the disposition of non-leased IT equipment and media in a legal, cost-effective manner.
{COMPANY-NAME}’s surplus or obsolete IT assets and resources (i.e. desktop computers, servers, etc.) must be discarded according to legal requirements and environmental regulations through the appropriate external agents and {COMPANY-NAME}’s upgrade guidelines.
All disposition procedures for retired IT assets must adhere to company approved methods.
coordinated by {COMPANY-NAME}’s IT Department. The IT Department is responsible for backing up data from IT assets slated for disposition (if applicable) and removing company tags and/or identifying labels. IT is responsible for selecting and approving external agents for hardware sanitization, reselling, recycling, or destruction of the equipment. IT is also responsible for the chain of custody in acquiring credible documentation from contracted third parties that verify adequate disposition and disposal that adhere to legal requirements and environmental regulations.
It is the responsibility of any employee of {COMPANY-NAME}’s IT Department, with the appropriate authority, to ensure that IT assets are disposed of according to the methods in the Hardware and Electronic Media Disposal Procedure. It is imperative that all dispositions are done appropriately, responsibly, and according to IT lifecycle standards, as well as with {COMPANY-NAME}’s resource planning in mind. Hardware asset types and electronic media that require secure disposal include, but are not limited to, the following:
Rich Selvidge is the Chief Information Security Officer at PurpleSec, providing singular accountability for all information security controls in the company. He brings over 21 years of information technology and security risk management experience.
Security Policies