Sensitive company and personal data often leaves organizations on disposed devices. An auditable chain of custody that shows data destruction is essential for any ITAD program.
Asset disposal normally isn’t one of those burning topics that is top-of-mind for CISOs, yet every CISO must be able to address it when asked to describe their information technology asset disposal (ITAD) program. Lack of a program signals data may be at risk when equipment is recycled; presence of a program signals attention to data protection. No CISO wants to encounter the former; every CISO wishes to be associated with the latter, though it may be a false-positive if the program does not include an auditable chain of custody/data destruction.
Can you, the CISO, or your team in charge of the ITAD, describe how each device provisioned and issued within the company is tracked, the data on the device is accounted for, and when and how that device is removed from the company ecosystem in a way the company and its customers’ data is protected?
ITAD an identified threat vector
The recent guidance provided by the Cyber and Infrastructure Security Agency (CISA) included ITAD as an identified threat vector in its guidance on defending against software supply chain attacks. Every entity needs an ITAD program, and the program must ensure that the devices are data-free when they exit the control of the company. The harsh reality is many don’t, and among those that do, many rely on certificates of destruction and not an auditable and visual chain of custody involving data and devices. The former requires trust; the latter includes verification.