What does it mean for an IT asset to be off-network? Simply defined, an off-network IT asset is a piece of IT equipment owned by an organization but disconnected from its network—once you have retired or decommissioned a computer or laptop, for example, but have not yet formally disposed of it. Off-network assets are important to those planning data destruction policy because the majority of data breaches occur when assets are not connected to a network. One study put that figure at 70 percent. That’s a huge data security concern, yet the risk often goes overlooked. Once they’re disconnected from the network, it can be difficult to keep track of an IT asset. Before it reaches its final disposition (reassignment in the IT infrastructure, electronics recycling, or resale) a piece of IT equipment might go through several steps of handling, processing, storage, and transport, each of which presents opportunities for the equipment and any data stored on it to become lost, misdirected, or delivered to a person or entity – a data breach.

Managing Off-Network Risk in Data Destruction Policy

The first step to reducing the risk of a lost asset or a data breach triggered by a lost off-network asset is to ensure your process for handling, storing, and moving assets can track the assets. If each of your offices piles up decommissioned assets in a storage area for a period of time, do you know exactly what’s in that pile? Who has access to it? Even without a sophisticated asset tracking system, your policies and procedures can ensure that you know where the assets are and their status.

If assets are to be disposed rather than redeployed, your process should ensure that you know which assets have actually been removed to the vendor, and which have not. Chain of custody services from your ITAD vendor can help you ensure the status of every asset in the disposition process.

The other key step is to choose a method for destroying the data stored on the asset. There are two basic options, each of which could be performed at your location (prior to disposition) or at your ITAD vendor’s facility:

• Physically destroying the storage device using a method that meets NIST 800-88 standard; or
• Sanitizing or completely overwriting the data so that it can’t be recovered but the drive can be used again.

Each method has its benefits and risks for value and security and should be chosen based on factors like the re-marketability of an asset and your company’s data security policy. You also should take into consideration your processes to determine the best time in the decommission and disposition process to perform data destruction. A knowledgeable IT asset disposition or data destruction vendor should be able to provide you guidance.

NAID Certification: A Sound Requirement to Manage Risk

A secure data destruction method is just one element of planning to reduce off-network risk. You need to be able to track your assets from the moment they complete their service on your network to the moment the data has been sanitized or destroyed—and you need the documentation to prove it when challenged in an audit. One of the key requirements of data destruction providers that receive AAA certification from the National Association for Information Destruction is that they maintain a strict chain of custody, with tracking and documentation to back it up. That way, companies can know where their off-network assets are at all times and what stage they’ve reached in the data destruction process. For this reason, as well as its reputation as an industry-leading certification for reliable, state-of-the-art data destruction techniques, requiring your vendors hold NAID AAA certification is a best practice for reducing the risk of data breach triggered by off-network assets.

For more best practices to incorporate into your company’s data destruction policy, download our free guide, “10 Myths About IT Asset Disposition (ITAD) Data Erasure.”