This policy is designed to protect organizational resources by establishing policies and procedures for asset control as it related to End-of-Life (EoL) IT assets for 365 Retail Markets and partner organizations. These policies will help prevent data loss when EoL IT assets are decommissioned and disposed of.
Production Equipment, Kiosks, and Card Readers
IT assets utilized in 365 Retail Market’s production environment, including kiosks, POS devices, and card readers, are to be returned to 365 Retail Market’s Hardware team for decommissioning. Once received by our hardware team, these IT assets are subject to the below EoL disposal procedures. Similarly, each of 365’s partner organizations are required to establish procedures for the return of their production equipment, as well as identify employees responsible for the decommissioning of production equipment.
Non-Production Assets, Workstations, Etc.
Non-production IT assets (such as employee workstations, networking devices, printers, and other office equipment) are to be returned to the appropriate organization’s IT team when they are identified as EoL. Otherwise, these IT assets are subject to the same EoL disposal procedures as Production Equipment.
End-of-Life Disposal Procedure
End-of-Life disposal procedures vary based on the type of IT asset being decommissioned. Typically, these procedures include the removal of all storage media attached to the device, clearing/overwriting said storage media, and the destruction of said storage media either by 365 Retail Market’s IT department, hardware department, or by an approved vendor. The procedure for decommissioning IT assets is outlined in the below workflow.
Clearing Storage Memory
Where applicable, and while the EoL device is still operable, it must have its storage drive reformatted and all readable disk space overwritten with zeros (zero-filling). When not applicable, the device should be subject to a factory reset, or comparable alternative, to limit the amount of data easily accessible on the device.
Removable Storage Disposal
If the EoL device has a form of removable storage media (HDD, SSD, USB, etc.), the device must be disassembled to remove this storage media. This storage media is then either stored for destruction via an approved vendor, or subject to destruction by appropriate 365 Retail Markets staff via industry-approved methods.
Once an EoL device’s memory is cleared/removed, the remaining device is considered e-waste. E-waste generated from the EoL decommissioning process should be boxed and stored until it can be disposed of via an approved vendor. Each partner organization is responsible for locating a certified IT assert disposal vendor capable of providing a certificate of destruction. All e-waste must be stored in a secure area. Storage media such as hard drives, SSDs, external drives, etc. should be stored separately from miscellaneous e-waste, as these devices require specialized destruction through an approved vendor.
In addition to updating internal asset-tracking databases, 365 Retail Markets staff are to document all devices decommissioned using the template found in Appendix A. Additionally, e-waste disposal vendors are to provide documentation certifying the destruction of EoL e-waste. These documents are to be retained for recordkeeping purposes.