Subscribe
Sectors
Companies
About

Where to start?

ITAM is a no-brainer and local companies still don't have a handle on it. This could prove to be an expensive omission.

Samantha Perry
By Samantha Perry, co-founder of WomeninTechZA
Johannesburg, 13 Oct 2008

IT asset management (ITAM) should be a no-brainer. It manages procurement, keeps inventory, tracks hardware and software assets and manages licences, maintenance, warranties and so on. It also involves the management of contracts related to leased IT assets.

ITAM, says Gartner, is a fundamental discipline that enables improved cost control and better understanding of IT's business value. “With 80% of the average IT budget spent on maintaining existing applications, ITAM remains one of the most fertile opportunities for continued IT cost reduction,” the company says.

The above paragraphs, which opened the ITWeb ITAM feature last year, are just as relevant today. In fact, we could rerun last year's feature as is and it would still be accurate and relevant. Instead, we're going to look at the consequences of not having your IT ducks in a row, particularly with regard to the disposal of obsolete IT equipment.

Tracker

Letter of the law

While there is no specific legislation dealing with ITAM, companies should bear the following laws in mind in addition to the specific governance, compliance and risk legislation applicable to their sectors.
Environmental law applicable would include the National Environment Laws Amendment Bill (which aims to amend the Atmospheric Pollution Prevention Act (1965), Environment Conversation Act (1989), National Environment Management: Protected Areas Act, National Environment Management: Biodiversity Act, National Environment Management: Air Quality Act), the Acts it aims to amend, and the Waste Management Bill.
Applicable data law/regulations would include:
* The Protection of Personal Information Bill (colloquially known as the Privacy Bill) aims to promote the protection of personal information processed by private and public bodies. The implications of the Bill, once it is enacted, will be that any company that holds information on natural or juristic persons (companies, although this part of the Bill is considered to be contentious and may be removed in later versions) will be required to know exactly what information they have, whether it can be described as personal or sensitive, as opposed to public, and have permission from the person/company to which that information relates to, both to have and use that information. While the Bill is still meandering its way through the legislative process, and is not expected to be promulgated anytime soon, the impact it is expected to have on the way companies acquire, use, store and protect personal information means it's worth getting data houses in order now, rather than having to scramble madly when the Bill finally gets promulgated.
* The Payment Card Industry Data Security Standard (PCI-DSS) affects any company that processes credit card transactions. It covers key security pillars aimed at securing access to personal identity records. Key elements are to securely store these credentials and to identify, manage and report on the access to this data. The PCI-DSS has various scales that certain of the standards are enforced on, depending on the number of transactions processed in a 12-month period. It's applicable to the primary account number and thus companies that are storing, transmitting or processing that account number will have to comply. Organisations that don't comply risk not being able to handle cardholder data, and risk fines of up to $500 000 for lost or stolen data*.
* The King III report is due out for public comment early next year and, according to an ITWeb report published on 21 August, will focus on corporate citizenship and green IT**.
* Lewis Taljaard, Novell
** King III to talk green IT, Paul Vecchiatto, ITWeb, 21 August.

As discussed in previous features, not keeping track of IT assets can be an expensive hobby. Says principal consultant at CA Africa's service management practice Patrick Price: “According to industry experts, organisations that systematically manage the life cycle of their assets will reduce the cost per asset by as much as 30% in the first year alone. Yet today, many organisations have little or no insight into exactly what assets they own, let alone how they can optimise them throughout their life cycle, from requisition to disposal.”

Aside from the cost savings, not managing assets means equipment may be lost, stolen or abandoned in a cupboard without anyone noticing or being able to track it if they do notice. Secondly, rental companies will charge for equipment not returned at the end of the lease term. Lastly, your financial director, having paid for the equipment, is going to want to know where it is before he allocates budget for new equipment.

More than this, however, is the value of the data on any machine that is lost (via whichever means) or improperly disposed of. In today's environment, where corporate governance, risk and compliance are top of mind, companies not effectively keeping track of equipment could be said to be acting highly irresponsibly.

Data on devices needs to be secured, and it needs to be cleaned off devices before these are decommissioned, recommissioned or destroyed. Much written and anecdotal evidence abounds of laptops being left on trains or PCs being sold to second-hand dealers with a drive full of company information.

Says Dell environmental programme manager for EMEA Marcus Albers: “Studies have shown that few companies care what happens to used equipment, and the data on that equipment in particular.”

Magix Integration director Amir Lubashevsky says the more we move towards a mobile workforce, the more information is sitting unmanaged on laptops and other devices or moveable storage media. “One form of intellectual property people always forget is the database of customers and content that sits on cellphone SIM cards. Most employees have customer information, e-mails, contact details on their cellphones. SIM cards are easy to duplicate. There is no management of the data thereon, no commissioning or decommissioning process. Guys move from company to company with this database on their cellphones. Remember the case with IS and Verizon?”

Says CA's Price: “Governance issues related to asset management include software licence compliance [see sidebar] and hardware disposal. A BSA piracy study concluded in 2007 reported that South Africa had a software piracy rate of 34% amounting to losses of $284 million to the software industry.

“The disposal of hardware assets at the end of their useful life is a governance issue that needs to be addressed from both an environmental and a social conscience point of view to ensure usable assets are donated to charities and unusable assets are disposed of with no negative impact to the environment,” he states.

“The Electronic Product Environmental Assessment Tool (EPEAT) programme was launched in 2006 to help purchasers identify environmentally preferable electronic products. By 2007, 25 electronics manufacturers had registered their products on the programme, which will result in a massive reduction in the use of primary materials in the manufacture of desktops and laptops, a massive reduction in the use of toxic materials, including mercury and, as a result, drastically reduce the disposal of tons of hazardous waste. Organisations are being urged to procure new hardware assets produced by these registered manufacturers.”

Waste not

A destruction certificate is not legally acceptable.

Johnny Clegg, director, African Sky

Organisations are also being urged, by the likes of African Sky's Johnny Clegg, to give serious thought to where and how they dispose of their IT assets.

Speaking at the keynote address on the first day of the Gartner Symposium held in Cape Town in August, Clegg said South Africa produces an estimated 50 000 tons of e-waste annually. Ninety-five percent of this, he says, can be recycled.

“There are two components to recycling. The first happens at a separation plant, which separates the components and ships them to various recyclers. The second is at the recycling plant itself. South Africa lacks properly recycling facilities, although it does have many separation facilities. A big question mark for companies is where components from separation plants go. We don't know.

“Most e-waste companies are not compliant with even the basic standards, in this case ISO14001. And the onus is on the companies disposing of the waste. If your stuff is found on an illegal site, the legal framework points to the source of the waste.”

Clegg notes that there are many illegal dump sites in agricultural areas (hidden behind high walls), where casual labour is employed to strip and burn waste, at considerable health risk to themselves and environmental risk to the land the waste sits on, and the ground water beneath it.

“If you're reselling a hard drive, what is your policy regarding the data on that drive? We've found drives being sold to second-hand dealers (who use them to build machines) with the data left on it. Sterilising a hard drive is costly,” he added. “And what is your process for tracking and auditing e-waste? Most providers will give you a destruction certificate. This isn't good enough. You need to make sure through site inspections and other measures that destruction has taken place. A certificate is not legally acceptable.”

Corporates are legally liable to ensure that equipment they auction off to scrap dealers, which will strip and recycle components for the value of the materials such as gold, is disposed of in a compliant manner [see sidebar]. One ton of circuit boards can yield six ounces of gold. While some dealers will give companies a letter stating they accept liability for what happens to the equipment, this is not legally valid, says Clegg.

“The law makes provision for clean-up costs,” he warns, noting that these are higher than the fines posed for breaching environmental legislation (R5 million or 10 years in jail) as a clean-up can take five years and cost hundreds of millions of rand.

SA had a software piracy rate of 34% amounting to losses of $284 million [in 2007].

Patrick Price, principal consultant, CA Africa

At present, as Clegg notes, there is no e-waste specific legislation. There is also no specific 'data eradication' law, but there are broader laws related to environmental affairs, and the duties of responsible corporate citizens that corporates need to bear in mind.

Green IT and security are both high-profile topics, which regularly make headlines. Companies claiming ignorance are likely to get very short thrift.

Share