Skip to main content

Best practices in protecting security during IT asset disposition

There are dozens of privacy protection and data security regulations in place around the world. They all share 4 crucial elements. Be sure your organization has these items in place:

Policy – There needs to be a policy that addresses how personally identifiable information is managed, secured, and eventually destroyed. The policy must be consistent with the organization’s tolerance for risk.

Accountability – There must be an individual or role(s) designated to lead the privacy protection and security program. In healthcare organizations, this person is known as the Privacy Officer. In addition, individuals throughout the organization must be accountable to uphold the security policy in their individuals roles.

Processes – The organization must implement programs and procedures to promote security. This can include trainings, access controls, malware protection software, and contracted data destruction providers. Documented processes guide the organization to properly implement security protection measures.

Verification – In order to ensure processes are properly implemented to support the security policy, there must be a system to check these controls and programs the verify they are effective. This may be accomplished through audits, penetration tests, business continuity drills, or other evaluation methods. Through ongoing verifications, the system can benefit from continual improvement activities.


The benefits of working with Cascade to support your security programs.

Policy – Simply designate “Cascade Asset Management” as your asset disposition provider in your policy. Our third-party certifications and security credentials fulfill policy requirements from HIPAA, FACTA, GDPR and other privacy regulations for the destruction of personally identifiable information. In your policy, designate that personal information is destroyed by Cascade consistent with the NIST 800-88 Guidelines for Media Destruction.

Accountability – Ensure the head of security for your organization is registered with Cascade and keep Cascade’s designated security officer information on file. Our security officer is Todd Barelmann, Certified Secure Destruction Specialist from NAID and Director of Operations at Cascade. If you are a Covered Entity (as defined by HIPAA), then execute a Business Associates Agreement with Cascade (here’s a sample BAA).

Processes – Cascade will set up inventory, reporting, data destruction and disposition processes with you in either a simple two-page Service Agreement or more detailed Master Services Agreement. These documented processes ensure a consistent and secure handling of your IT assets and media during disposition. Cascade can also provide you a comprehensive Self Audit Packet that documents all of our permits, certifications, and management systems we have in place to ensure your asset disposition programs are compliant with relevant privacy protection laws.

Verification – Cascade’s data destruction processes are independently certified by the National Association for Information Destruction (NAID) and e-Stewards programs. Third party, accredited certifying bodies spend weeks at Cascade verifying our processes to ensure they are effectively implemented throughout the year. Our detailed record keeping of your asset disposition activity provides independent verification of the effectiveness of your information destruction program and can be shared with your auditors to demonstrate conformity.


Tools and other information: