A more secure future

Emerging regulatory trends soon will alter the internal reporting structure by which enterprises dispose of their information technology (IT) assets. Although this change is limited to enterprise IT asset disposition (ITAD), it is sure to affect the way those enterprises interact with ITAD service providers.

By and large, enterprise ITAD falls under the responsibilities of IT asset managers who also oversee hardware issues, such as device procurement, onboarding and tracking, while also managing their organizations’ portfolios of software licenses.

As many ITAD service providers know, most enterprises lose track of a significant percentage of their IT assets before they are discarded. This has nothing to do with the ITAD service provider, but it usually becomes apparent when a discrepancy arises between the internal device inventory generated by IT asset monitoring software and the devices accumulated for final disposal.

Because it is highly probable unresolved or missing IT assets contain regulated personal information, regulatory and legal obligations necessitate investigating and resolving their absence. Regulators require such incident investigation because it is the only way to establish whether a missing device constitutes a reportable data security breach.

But, instead of investigating and resolving the possible incident, the overwhelmed IT asset manager could be unaware of the compliance imperative or unwilling to trigger an investigation that could reflect poorly on oneself. The result remains the same—the IT asset disposal process ends up being used to avert the required investigation by allowing it to be assumed that any unresolved devices were among those that were securely retired.

Why & how enterprise IT will change

According to the Security and Exchange Commission (SEC), as of December, all publicly traded corporations and investment firms must disclose any material cybersecurity breaches within four days of discovery. These same corporations also must disclose an aggregated summary of material cybersecurity incidents every year, define their overall cybersecurity postures and their boards’ roles and, finally, attest to their capabilities for assuring appropriate cybersecurity reporting and preparedness.

The ITAD services sector notes that ITAD is a cybersecurity issue, as does The National Institute for Standards and Testing, the American Institute of Certified Public Accounts (AICPA), the Financial Industry Regulatory Authority and Payment Card Industry Data Security Standards. In that case, mandatory public disclosures and board accountability that now are codified by the SEC extend to IT asset management (ITAM) as well as to ITAD.

Per the SEC’s disclosure requirements, the key determinant of a reportable cybersecurity incident is whether it is “material”—whether there is the possibility of unauthorized access to personal information—meaning an organization will be forced to demonstrate how it determined that personal information did or did not imply the possibility of unauthorized access. Because this can be shown only by acknowledging and investigating the missing asset, not doing so directly contravenes the new SEC requirement while violating existing data breach notification regulations.

Looking to the future

The unsustainable nature of the current enterprise ITAD model is a direct result of the conflict of interest created when the person responsible for the integrity of IT asset hardware, the IT asset manager, also is responsible for the integrity of the IT disposition process. It is unrealistic to rely on a single department or individual to hold itself accountable.

This type of potential conflict is not new to the business world. For as long as there has been formal accounting and auditing, where checks and balances are required, there has been a segregation of duties or separation of duties (SOD).

The role of SOD is so well-accepted that its absence is one of the most common deficiencies cited in financial audits, one of the most common points of failure in the AICPA’s Service Organization Control (SOC) I and II attestations and usually the first thing forensic auditors look for when investigating internal fraud.

More specific to data security, within the globally recognized ISO 27001:2022, Information Security Controls, control item 5.3, labeled “Segregation of Duties,” stipulates that an organization should identify and segregate responsibilities where conflicts put information security and compliance at risk.

The only way to ensure the necessary integrity and compliance of enterprise ITAD is to create a firewall between it and those responsible for internal ITAM.

Enforcers will have to act

Arguments against the need to separate ITAD from ITAM are inevitable, with much of that pushback coming from the ITAM department itself. The irony is that ITAM will benefit immensely from the change because it will lead to the allotment of greater resources.

With the SEC requiring cybersecurity disclosures of public companies, auditing fiduciaries cannot ignore the issue. Similarly, when such fiduciaries are advising clients, failure to inform them of the risks of unresolved IT assets and ITAM/ITAD conflict of interest would be irresponsible at best and could be devastating to the client and the fiduciary.

It also won’t be long before AICPA/SOC audits and WTO/ISO 27001 audits will be dinging organizations that have not addressed the inherent ITAM/ITAD conflict of interest.

For ITAD service providers

When examining the impact of this change on ITAD service providers, the first question to consider is the functional role most likely to inherit the internal ITAD responsibility.

In addition to being completely divorced from ITAM, the new ITAD functionary will have significantly greater influence within the organization. This is required to eliminate any threat or appearance of intimidation and because it essentially is acting as a proxy to the board.

As a result, ITAD oversight likely would fall under the legal, compliance or risk management department, with additional reporting to internal auditing. ITAD service providers also could be given more direct and highly detailed inventorying and receiving instructions and be held accountable for what is received and for reporting and investigating discrepancies.

History has proven that a higher degree of scrutiny helps data destruction service providers that are prepared to withstand it.

Robert (Bob) Johnson, CSDS, CIPP/US, is the principal advocate at Privata Vox LLC, Phoenix, and can be reached at rj@privatavox.com.