During a recent CITAD class we discussed the topic of Due Diligence and different things we can do to validate our vendor, their qualifications & capabilities, and more importantly define the process for how the disposition services will be performed and associated expectations. One of the concepts that runs central through all ITAM best practices is to have a defined, documented, process and your ITAD services are no exception.

When we think of KPA’s we can break them into categories like Core, Operating and Controlling. What I want to talk about as a 2nd Edition of ITAM documentation, is what type of documents should we have in place after a disposition service has been completed, Controlling Documents, to ensure we have met our data security requirements, compliance requirements, our inventory management and sustainability goals have been met and documented to support your ITAM Goals of Maximizing Benefits and Minimizing Risks!

1. Statement of Disposition or Settlement Statement

This document gives a summary of services and details by asset of what services were performed and details to support your ITAM Goals defined by the established in the Statement of Work – SOW.  Information such as:

• • Work Order Number
  • Date of pick up and Date completed
  • List of items
  • Final Disposition – Destroyed, Recycled or Resale/Reuse
  • Signatures of the responsible parties

2. Certificate of Destruction and/or Recycling

These certificates document specifically assets that were destroyed and should include asset list detail (int the case of hard drives or specific hardware destruction requirements) and the COR defines materials, usually by weight, that were recycled and that materials were processed in a specific manner or processed to a specific certification.  This supports your Sustainability goals and will support carbon footprint reporting.

3. Detailed Asset Audit

This document would show make, model, serial number, and customer asset tag number as well.  This should be provided for all data bearing assets and hard drives and often is recorded for all hardware assets.  This supports inventory reconciliation, transfer of ownership as well as data security and environmental risk management.

4. Bill of Lading and Logistics Documentation

These would document the date of pick up, date of receipt, signatures of both your company, the logistics driver, and the receiving company.  This may include a detailed list of assets to serve as a Transfer of Ownership or may just list the number of pallets, skids, or boxes.  It is imperative that you, the shipper, know what you are sending out to be processed.  It would be unwise to sent out a box of assets and unfortunately, this is often the case.

5. Other Documentation

There can always be additional documentation depending on special projects or asset types.  You may require photographs or videos of hard drive destruction or data tape shredding.  You may require photos of sealed container or trailers of assets that have been in transit.  You may also ask to have COI – Certificate of Insurance provided to you from your vendor with your company and facilities listed as additional insured.  Also, due diligence documentation that you should have on file like results from their annual facility audits for e-Stewards, R2 and NAID AAA which are very comprehensive and if there are any concerns, non-conforming activities, or security concerns, you should be notified.

This is not an exhaustive list of everything you may want to have defined, but a good starting point to help protect your interests as well as those of your vendor. Think about what you have in place and what you may need to define and document!