Over 75% of respondents indicated their organization has a policy in place that addresses how

information on IT assets are to be destroyed when disposed (10% don’t have a policy and the
remaining 15% of respondents weren’t sure if they had a policy).

In some industries or jurisdictions, there are regulatory requirements to adopt a data destruction
policy – and to follow it. When firms create a policy, its important to make sure it addresses risks to
the organization. These can be threats to a loss of data at any stage in the process. A risk can also
be from being found to be noncompliant with regulatory requirements – so be sure your policy is
consistent with the regulations.

We asked respondents what is included in their security policy related to ITAD. The checklist to the
right lists their responses.

Every item on the checklist should be included in a company’s data security policy and program.
Most importantly, employees are expected to be informed and trained on the policy. Keeping a
signed acknowledgment of the policy on file is the best way to demonstrate to auditors that you took
reasonable efforts to train staff, which will prevent compliance fines and should also mitigate
potential data breaches.

Most security regulations require security policies be “reviewed and updated as needed,” which
typically means they should be checked annually. In fact, it is recommended that industries
regulated by privacy protection programs like HIPAA, FACTA or PCI-DSS should review related
security policies annually in order to stay current with changing regulations.

In addition, the types of assets an organization supports and the way they are used by an
organization is evolving on a regular basis and may impact the policy. It’s a good practice to at least
review the policy once per year or whenever major changes take place.

This year’s survey finds companies are more actively reviewing their policies. In 2017, only 60% of
respondents reviewed their policy in the last 2 years. At least now we’re up to 78%.