When considering Computer Recycling, the first question is what are the things I need to consider when choosing a partner, at Concept, we feel that this is very important to choose well.
The things you need to consider are:
- On-Site Services
- Business Credentials
- Pre-Collection Criteria
- Logistics
- External Site Security
- Internal Security
- Process
- Software Systems
- Environmental
- Reporting
- Sub-Contractors
Why should you choose Concept Management:
On Site Services
Whilst focus on the actual process of data destruction or sanitisation is key there are a whole host of areas which require attention to ensure a safe, controlled environment for these services.
This section covers documented evidence to show the physical control over the environment to ensure that IT assets under the control of Concept Management are securely managed; Concept Management’s facility is secure; access to the facility is secure; staff (both Concept Management and client) is clear on their respective roles and responsibilities within the process.
In addition, there is a crucial need for a formal and controlled process to be followed to ensure inventory control is in place and the chain of custody on the assets is clear.
Finally, the use of the correct tools to perform data destruction or sanitisation is essential as well as the same verification and quality checks being in place before a final sign off and release stage.
- Full inventory of equipment to be verified before work to commence.
- Written documented evidence of the following:
- Process for data erasure / destruction.
- Agreed schedule of works to include any additional services on-top of data erasure.
- All personnel undergo screening to a minimum level of BS7858.
- Any further off-site processing to be agreed prior to work commencing.
- All data bearing devices will be scanned, HDDs removed, scanned and then physically destroyed. Should an HDD be missing from a parent machine, a member of the IT Team must be informed immediately.
- References available for on-site works.
- Insurance policies are in place in accordance with the clients required level.
- Risk assessments and site survey carried out before the commencement of work.
Business Credentials
When choosing a supplier for these critical IT Security Services the starting point should be an assessment of the status of their business. This includes basic financial checks, verification of claims for Certifications, levels of insurance and confirmation and verifying of published references.
- Satisfactory IG Toolkit
- A Dunn and Bradstreet risk indicator of 2 or better
- Concept Management to provide a full written procedure for each stage of equipment processing which outlines data destruction, auditing, test, and repair processes.
- ISO 9001.
- ISO 14001.
- ISO 27001
- Data security protection toolkit
- Member of the British Security Industry Association
- Public Liability Insurance
- Employee Liability
- Professional Indemnity Insurance
- ICO Registration
- A written contract with each client covering all services undertaken.
Pre-Collection Criteria
A robust process must begin with an exchange of information and documentation between us and the Client that clearly identifies the number of assets for collection; how the assets are identified (e.g. serial number); an agreed asset reconciliation process; sensitivity of data-bearing assets; confirmation of service required; pre-collection agreements and service level agreements and transfer of custody (if any) arrangements. Without this information, the chain of custody and service structure cannot be initiated until equipment arrives on site. Without these foundations, the process as a whole is weak and potentially insecure.
- Written agreement for the service to be undertaken prior to work commencing.
- Inventory List Required –box count minimum standard.
- Confirmation and agreement on the type and mode of logistics.
- Peripherals and accessories to be included are encouraged for re-use.
- Inventory list required which provides unique identifying reference
- Inventory list required and includes hard drive serial numbers.
- Transfer of custody to be agreed in writing.
Logistics
Risk of loss of assets during the transportation process is assessed both in terms of the probability of physical loss or theft but also in control and management of the chain of custody. It is imperative that equipment collected is controlled such that verification on receipt is confirmed and hence the risk of potential losses during logistical transfer is mitigated.
- GPS Tracked, dedicated vehicles to be used.
- Electro or mechanical immobiliser.
- Alarmed.
- Communication with base via telephone or radio.
- Solid sided vehicles. Curtain sides are NOT allowed.
- Imposter prevention is essential – Photo ID for driver provided.
- Drivers to security cleared to at least BS7858.
- Inventory managed on and off the vehicle with a box count.
- Additional or non-inventoried items should be manually added to paperwork and signed for.
- Equipment is packaged properly at point of collection. The use of bubble wrap, crates and cages used. This is to ensure the quality of the equipment is maintained during transportation and therefore re-use opportunity is maximized.
- Vehicles with generic sign writing is used.
- Imposter prevention – The issuing of drivers details and vehicle details issued to client prior to collection.
- To have the ability to provide uniformed staff and un-uniformed staff to accommodate client demands.
External Site Security
All aspects of Concept Management’s site needs to be secured to deter either the casual opportunist intruder or a determined planned attack. As such both physical and technology deterrents need to provide overall site security.
- Concept Management have an intruder alarm installed to EN50131-1, monitored by an approved BS5979 alarm receiving centre.
- Vehicles are unloaded under cover of CCTV.
- Vehicles are unloaded inside the facility.
- To deter the casual opportunist Concept Management do not have any external signs of IT activities such as obvious signage, equipment stockpiles or advertisements.
- Concept Management have site gates and external fencing. Ram Bars, grills and other physical measures are also used.
Internal Security
Controlling the potential for insider theft is a well recognised element in the management of internal security. Concept Management implements robust internal security countermeasures, complete staff spot checks and have controls that mitigate the risk of this potential threat. Concept operates the Administrative Office separate from the Operational Activities.
- All personnel that work in or have access to the data processing area undergo screening to a minimum level of BS7858.
- No visitors are allowed into data processing areas unless they have their identification verified and it is recorded. (NB: This includes drivers, tradesmen and office visitors)
- All internal access points to the processing facility have controlled entry systems.
- CCTV is essential for the following areas:
- Unloading and loading areas and are extensively covered.
- Access points.
- Data processing area.
- CCTV covered is backed up daily and stored in a fire proof safe and retained for a minimum of 31 days.
- The premises are not shared with any other organisation.
- Visitors wear clearly visible badges / vests and are escorted in processing areas at all times.
- The processing area is physically segregated from any other activity being carried out at the premises.
- The processing facility has its own security checks from the general facility to include bag and coat check in, staff searches and controlled access.
- Concept use an EN:50131-1 which is monitored.
- All personnel are required to sign a Non-Disclosure Agreement as part of their employment.
Process
The chain of custody is imperative in risk management within asset retirement and as such once inside the confines of the facility the continuation of a controlled process is critical. Each stage is reviewed and risk of failure in the process is assessed. Concept Management look for the potential scenarios whereby a robust process might fail due to an unforeseen issue and assesses whether that is an unacceptable risk. Review of both written and actual processes is undertaken as well as assessment of the technology used to perform and manage services.
- Every collection is processed and individually tracked within 24 hours of receipt at the facility.
- Data carrying equipment is stored in a segregated area from post process equipment. This is in a secure and physically segregated area.
- Each asset is audited to obtain full build specification.
- Each asset is tested to check functionality.
- Each asset is graded to confirm physical condition.
- Data carrying items undergo data sanitation process using National Approved CESG Approved Software.
- Any data carrying device which fails is removed from parent machine, individually barcoded and on-site physical destruction will take place within a controlled and documented process.
- Every data carrying device which is received for end of life processing will undergo the same process regardless of any assurances from the Client that they have already destroyed the data.
- There is a documented quality control process which will test a sample number of hard drives and all other data carrying assets after the data erasure process to ensure that the data has been overwritten.
- All equipment undergoes de-branding where asset tags and other non-relevant markings are removed.
- All equipment which is to be re-used is cosmetically cleaned and where financially viable any missing components will be replaced to ensure maximum opportunity of re-use.
- Evidence of how the inventory is managed throughout the process is shown.
- Data carrying and data safe items are physically segregated.
- The maximum length of time from the point of collection until the point of data destruction is 10 working days.
- The chain of custody should start before collection and shall be verified on receipt at the facility, and at the end of the process itself.
- Each device has the chassis opened to check for unconnected data carrying media such as hard disk drive and full physical checks for other storage devices made. (CD drawers etc)
- Loose or separate data carrying media will be individually tracked on the system and classified as a separate asset. The same processes and procedures are applied to these.
- The destruction of Confidential Materials takes place within one working day from arrival at our facility.
Software Systems
Records created during the processing of assets need to be safeguarded such that in the event of a disaster or theft that the records can be recovered. Concept Management can provide details of backup policies are to include the frequency of backup, media-type used, where it is stored, and finally how regularly recovery is re-tested.
- Processing Database is backed up daily.
- Backup is stored in a secure, fire retardant location on site.
- Back Ups tested monthly.
Environmental
Environmental legislation is a difficult, oft misunderstood topic that is subject to wide interpretations. There is a variance in interpretation and as a result, an opportunity arises to operate under exemptions whilst processing EEE, UEEE or WEEE.
However Concept Management insist on being Environment Agency approved ATF and AATF and can provide environmental permits and credentials, written procedures for all recycling activity undertaken on site and management of downstream partners who may perform subsequent processes on e-waste.
Concept Management also encourage maximum opportunity of re-use of all equipment with the Client being identified as the key decision maker within the process.
- A written process for treatment of waste (WEEE) is provided.
- All material received is classed by Concept Management as WEEE, therefore we will hold an environmental permit (waste management licence) ie. ATF & AATF
- We hold a Duty of Care Licence
- We hold a Waste Carrier and Broker Permit.
- When material received is hazardous waste it must be managed in accordance with:
- The Hazardous Waste (England and Wales) Regulations 2005 (as amended) where it arises in England, Wales
- The Hazardous Waste Regulations (Northern Ireland) 2005 where it arises in Northern Ireland
iii. The Special Waste Regulations 1996 (as amended) where it arises in Scotland. (See Section 5)
- When we receive WEEE, we are able to demonstrate that we treat WEEE according to the guidance on best available treatment, recovery and recycling techniques (BATRRT – See Section 5).
- Each collection has assets identified as WEEE (waste).
- Waste transfer notes or hazardous waste consignment notes are created for movement of all WEEE (waste) to and from our facilities.
- Concept Management have personnel in place with suitable levels of qualification (Certificate of Technical Competence COTC) issued by The Waste Management Industry Training and Advisory Board (WAMITAB)
- Evidence of Environment Agency inspections are available.
Re-Use
Not only does re-use maximise revenue opportunity but it is also significantly better for the environment. Legislation is leaning towards encouraging re-use rather than re-cycle but as the first focus of Concept Management is data security it is a trade-off between ensuring data is securely sanitised and making processing of the asset financial viable for re-use. Concept Management encourages best commercial practise in functionality testing, repair and re-engineers but also consider commercial viability of these practices. Concept Management provide a return for end of life equipment.
- During the auditing process a decision tree is in place which allows an incomplete or non-functioning asset to undergo some remedial process / repair to make it good for re-use. This decision tree has a written process which shows time verses financial viability of repair.
- Records of all assets either sold on or passed for further processing are kept. These records include unique tracking references of all equipment passed onto downstream suppliers.
- Items which can be damaged by ESD are handled in ESD safe working environments.
- Proactive assessments, audits and management of downstream brokerage and recycling partners are completed annually.
Reporting
Reporting promotes control over the process and therefore self publicises excellence, but it also demonstrates transparency over the various activities taking place. This openness is essential to show the number of quality stages in a truly robust IT Asset Disposal process.
Concept Management provide an Asset Register, Volume Reports, Waste Transfer Notes, Duty of Care Notes, Hazardous Waste Consignment Notes and Certificates of Destruction.
- Detailed audits are supplied and include asset level detail of build, data destruction and downstream destination of the asset.
- Environmental reporting identifies weight of equipment collected, processed and recycled.
Sub-Contractors
Concept Management do not subcontract any work or employ subcontractors.
For more information call 01204 363184 or email justask@conceptmanagement.co.uk