Jan 22, 2016 - 12:13 PM
When decommisioning servers/desktops and netwrok equipment in this area (yes there are security implications to network hardware) they usually use a specialist firm that then wipe the hard drives, memory and configurations of the machines and provide back certification of that disposal.
Some of these disposal services will do this onsite as well and then shred the hard drives of the machines, this certificate then lists the serial numbers of the hard drives and the serial numbers of the machines they have been removed from. This can then be attached to a purchase record back to the vendor so that there is an audit trail of the trust doing everything possiable to protect its data.
Once the HDD and the configuration is removed you are free to sell on the carcass. You get less money for the desktops and laptops without the hard drives but you do get more money than you are currently reciving. The servers, blade chassis, blades, SAN's etc can still have a high residual value and should net you some decent money.
There are companies that even put back in a new hard drive and create a website for employees to purchase the hardware internally sharing the profit with the organisation.
The policies should be around the data destruction as recorded with the disposal company the resale internally is a policy you can put in place if you want to go down that route or you can just get the disposal company to resell externally only. The other policys should be around making sure that your disposal policy and recording of disposal from a hardware audit and software audit standpoint are completed and work correctly so as the asset leaves the business its presence in AD, LM tools etc are removed which can save you money in license reallocation at substantually more than the asset itself.
I will ask around to see if others are doing this but I dont see any reason why you should get more money for your assets than you currently do.
Jan 24, 2016 - 10:15 PM
Few guidelines snapshot:
Acceptable methods for the disposal of IT assets are as follows: a) Sold in a public forum. b) Auctioned online. c) Sold as scrap to a licensed dealer. d) Used as a trade-in against cost of replacement item. e) Reassigned to a less-critical business operation function. f) Donated to schools, charities, and other non-profit organizations. g) Recycled and/or refurbished to leverage further use (within limits of reasonable repair). h) Discarded as rubbish in a landfill after sanitization of toxic materials by an approved service provider as required by local, state or federal regulations.
Jan 25, 2016 - 09:41 AM
The link I have provided below shows the process and key stakeholders. It is a US National Standards Institute Document that I found on the web - there may or may not be more recent documentation out there. The Australian Government published new guidelines in 2014 which may be worth taking a look at.
Remember, your Corporate Risk Officer and / or the Chief Information Security Officer should be making the decisions around what is an appropriate policy for hard drive wiping and hardware disposal - you should only advise. If they decide that the risks associated with a different disposal process outweighs the benefits of increased income from the salvage process, then ce la vie.
Finally, a couple of other things to bear in mind - desktops and laptops are worth very little (think how little they cost to purchase new) and depending on the age and make of the equipment, the current deal may be the best you'll get - but an RFP will tell you that for sure.
The real value lies in the iphones and ipads people are using - and they are also risky - have you locked down activesync? If not, you will find that people ARE accessing emails on personal devices, some of which emails contain sensitive attachments. You can't just focus on desktops and laptops these days.