One of the most significant cost drivers for IT asset disposition is the need for data security. The costs of a data breach of any type have skyrocketed – both in fines and bad publicity for your company. If you want to make sure the sensitive data stored on the drives of your company’s retired IT equipment won’t make it to the outside world, you have two options: physically destroy the drives or sanitize (wipe) the data on them. Physical destruction can seem like the most secure option, but if you’re planning to recover some of your IT investment by remarketing your equipment, keep in mind the difference in resale value between systems with hard drives and those without can be up to 30 percent. Done properly, data sanitization can help you keep ITAD costs down, but how can you ensure your ITAD provider will remove your data according to the latest industry standards and best practices? How do you know you aren’t at risk for a costly data breach? You could investigate your data sanitization partner’s procedures yourself, but that takes time and resources. Look for industry certifications to validate your vendors’ capability and compliance. For data sanitization, one of the most respected is AAA certification from the National Association for Information Destruction (NAID).

How NAID AAA certification works

The National Association for Information Destruction is the international trade association for companies providing information destruction services. NAID’s data sanitization program is recognized as an industry-leading certification for data erasure. To gain NAID certification, data sanitization providers must undergo a rigorous audit process. NAID described the audit process in its white paper, “NAID – Keeping its eye on the data destruction ball.”

According to NAID, the steps of an NAID audit for plant-based hard drive sanitization are:

1. A Certified Protection Specialist (an auditor with the highest certification from ASIS International) visits a sanitizing facility with two drives bearing the same data.
2. The auditor follows one of the drives through the sanitization process and checks if each step lines up with the sanitization provider’s written procedures.
3. The provider wipes the second drive while the auditor conducts employee screening and a physical security audit.
4. The auditor takes two random drives from the provider’s inventory and sends them, plus the two original drives, to a top forensic lab for validation.
5. The NAID auditor also verifies quality control logs, randomly tests employees’ knowledge of data erasure policies, and inspects CCTV image capture and alarm logs.

NAID performs both annual and  unannounced audits each year on the organizations it certifies. Recognizing that many organizations believe it is more secure to have data sanitized from their equipment before it leaves their facilities, NAID now also offers a Certificate of Onsite Sanitization Operations. The NAID auditing process for onsite sanitization operations is just as rigorous, focusing on employee screening, validation of employment and training, and quality control validation and documentation. Whether you partner with an onsite or plant-based data sanitization partner, NAID AAA certification ensures your vendor meets the highest standards for data erasure and you will not have to worry about the cost to your organization of a data breach.

A holistic ITAD program will help you protect your data and keep costs down

A programmatic approach to IT asset disposition minimizes the risk of data breach and its associated costs by putting in place specific roles and procedures enterprise-wide for every link in the ITAD chain. The most secure ITAD program is a holistic ITAD program. Our IT Asset Manager’s Guide to Disposition discusses how a holistic ITAD program can respond to your concerns about ITAD costs, investment recovery, and integrating disposition data into your existing asset management system.