Device decommissioning policies
This blog article is one that was requested for on our YouTube channel by Hasa and is based around device commissioning policies and how you go about implementing and managing them within the business.
Now, one thing that I’ve seen a lot of in my career over the last 30 odd years or so is that people don’t think about what needs to be done when people leave the business or devices are no longer needed. I may be going from an old school type scenario, but a lot of the time people within business think that anything that has a plug on the end is the sole responsibility of IT. Even disabling accounts and redirecting or closing down email accounts are deemed to be IT’s responsibility.
Which in some part is true, but ideally it should come from a proper decommissioning or offboarding process which has been agreed by management and controlled or managed by HR or another department. Now for this blog article we are mainly going to be concentrating on the decommissioning and offboarding of actual physical devices, not the staff and users.
When it comes to devices and the management of them, the industry has seen a big shift recently on the way that people manage them, especially when the world was basically forced to start working from home for months at a time. A lot more people are now looking to use cloud related technologies to help with home working and business resilience, people have also started looking at how to manage and control devices within the business a lot more now, now that the devices are not based within the office as much.
This is where one solution, Mobile Device Management or MDM comes in to play. By using software and systems such as Microsoft Intune or Jamf you can configure and manage your devices from a central location and this helps in in removing software, wiping devices and generally managing your devices.
However, it’s not a quick win and done properly requires a lot more effort than simply configuring some device management software and deploying to all devices. Firstly, you should be looking at building up or creating a new device decommissioning policy, which when completed will be made available to all the appropriate staff. This policy will form the basis of managing devices through a series of steps once the time comes for removing a device out of service.
Its an important policy to have in place as it allows you to have a defined approach which controls how devices are removed from service, but it also allows you to record what devices are active, how many devices have been removed out of service and gives you the ever-important evidence should you be audited at any stage in the future.
So now that you have a policy created in whichever editor you favour, you need to start from the beginning, this involved planning and auditing. Which if you have all this documented will be painless, but you should go over your records to ensure that everything is correct.
However, if you haven’t got an asset register, or are not sure that you have one place you should ensure that you document all your devices, this should include, you workstations, laptops, mobile devices, switches, firewalls, printers, you name it, document it. For documentation you should look to include the Device name, IP address, vendor name, the model number, serial number, and the list goes on. The more information you have the better information you have. But this can be completely down to you and how your business works.
Now, once you are in the planning stage of this process, ideally you should allocate a project manager, or if you don’t have or use project managers, appoint someone who is in charge of this project, this allows for decisions to be made on how to progress.
As part of the planning, you should also look at your local or country laws, are there anything specific for disposal requirements of electronic equipment? Here in the UK, we have WEEE directive, which states how you can go about recycling your electronic equipment. Once you know what you can and can’t do, it should be documented alongside your device information.
Next, once you have a list of all your devices, it’s time to move onto defining and working out the procedures for the actual decommission of devices. As part of the decommissioning process, you should ensure that any information located on the device is backed up, if it’s not being backed up to the normal place, make a record of where is being backed up, why its backed up and how long it needs to be kept for.
If there are any subscription-based services installed locally on the device, then you should ensure that these are removed to ensure that you have your licenses in check. The next stage depends upon what you do with your physical drives when it comes to servers, workstations, and laptops, if you have confidential information on these devices you should look to remove the information and either destroy the drives physically or use some software to ensure the data is properly removed. If, however you use a third-party company to manage the decommissioning of your devices, for example a managed IT provider, you should ensure that you get everything logged from them, make sure that things are recorded, for example when the device was handed over to the IT provider, what did the provider do and where did the device go later. The last thing you want to do is having missing hardware.
The last phase or section is, is the actual disposition of the device. Depending upon how your business works, you may repurpose the device for someone else, but if you are looking to dispose of the device after many years’ service you should then ensure that if you are going to give away your devices that the previous steps have been followed, that all confidential and personal data has been removed, that the drives have been properly wiped or removed and that everything has been recorded.
If you are going to use a third party to dispose of the devices, you should ensure that you get a record of collection and that should be it. Obviously, it’s hard to talk about decommissioning policies to have a one size fits all, but this should give you some information to think about and define a policy for your business. The main points are to plan, document, erase, document more and ensure that all staff know what to do.
With that, I hope that this article has been of some use and gives you some ideas on how to properly decommission your devices when they are longer needed.