Read Part 1: The Landscape of Risk
Hardware Accountability & Security: Who Has It, Who Owns It and Where Is It?
Suspend disbelief for a moment, and assume "Company A" lacks a formal ITAM program-or any ITAM program at all. Let's also assume that a high-profile executive from Company A announces her departure from the company effective the end of the fiscal year. But two months before this announcement, she's issued a brand new laptop. Her old laptop is returned, tagged for disposal and placed on a shelf in an IT storeroom. On her last day with Company A, our executive dutifully returns her "new" laptop, turns off her Blackberry and walks out the door. The "new" laptop is shelved and forgotten. 
A month later, a developer's laptop crashes, and he quickly needs a replacement. One is hastily pulled from the shelf and given to the developer. Lo and behold, it's our executive's "new" laptop, or so the developer finds out when he turns it on. The developer then leverages confidential insider information on the laptop to make a small fortune shorting Company A's stock. And the executive's old laptop? It's sold for "scrap," shipped to a developing nation, hacked, and finally immolated in a noxious bonfire.
Okay, I'll readily admit that this scenario is far-fetched, but we've all heard horror stories of hardware and media ending up where they're not supposed to be or "sprouting legs and walking off." It happens all too often, especially in government, financial services and healthcare, threatening patient privacy, identity protection and even national security.
Physical security begins with regular inventory reconciliations and active monitoring of asset whereabouts (i.e., surveillance). Security is further enhanced through a comprehensive IT asset repository that can track the type of data stored on hardware and aid in configuring escalations for hardware that fails to appear on inventory scans. IT asset managers can even collaborate with their counterparts in Desktop Management to employ Active Directory services to configure BitLocker encryption for fixed and removable storage on Window Vista and Windows 7 devices. The key is tracking these lifecycle events to ensure consistent application of physical security policies. The alternatives are painful: class-action lawsuits, damage to reputation and penalties stemming from regulatory non-compliance.
Security: Disk Wipes and Bare-metal Reimaging
Failing to properly sanitize hardware before transfer or retirement can expose an organization to significant legal and financial risk. Risk invariably invites government oversight-as it has in the US (SOX, FACTA, GLB, HIPAA), the EU (EUPUD) and Canada (PIPEDA)-so the burden on organizations to properly process hardware transfer or retirement is multiplied by regulatory compliance. Again, leveraging a comprehensive IT asset repository to log and track these lifecycle events is crucial to attenuating an organization's risk profile.
In the final installment of this series, tomorrow, I will address some of the shadow risks posed by disposal.