rfp template for it asset disposition · compliance, and asset reporting. selecting a new vendor is...
TRANSCRIPT
RFP Template for IT Asset Disposition
Sample questions included
Published by Sims Recycling Solutionssimsrecycling.com
November 2018
VALUE RECOVERY
COMPLIANCE
SECURITY
SUSTAINABILITY
CORPORATE REVIEW
Now that it’s time for your organization to retire IT assets and other electronic equipment from service, you’re probably looking for a solution to one of three scenarios:
But once you’ve assessed your equipment condition, how do you find an IT asset disposition vendor that can create a plan tailored to your company’s specific needs?
It starts with asking the right questions.
Selecting the Right IT Asset Disposition Vendor Starts with
Asking the Right Questions
1 You have fairly current technology — PCs, laptops, mobile devices — that you would like to resell.
2 You have a mix of current technology with resale potential and broken or old equipment that needs to be responsibly recycled.
3 You have only broken or old equipment that needs to be responsibly recycled.
In the past, it was not uncommon for companies to select an ITAD vendor without going through a formal selection process. Your company may be one of those and, as a result, you may feel you “settled” for a vendor that only partially meets your corporate ITAD requirements, particularly in the areas of value recovery, data security, environmental compliance, and asset reporting.Selecting a new vendor is a daunting task, particularly when you have concerns about protecting confidential data and satisfying corporate compliance requirements.
Selecting the Right IT Asset Disposition Vendor Starts with
Asking the Right Questions
Implementing change is rarely easy and often inconvenient, however, under the right circumstances, a new vendor can be a catalyst that allows your company to optimize operational efficiencies, achieve compliance requirements, ensure all digital data on retired assets is destroyed and achieve sustainability objectives.
Selecting the Right IT Asset Disposition Vendor Starts with Asking the Right Questions
The following information discusses issues that clients have identified as important when developing their IT asset disposition program.
This document is divided into five sections:
Sustainability Company Related Questions
Value Recovery Compliance Security
The opportunity to generate revenue from your retired assets depends on several factors: • age and condition of the assets• market demand for the assets • components or commodities that can be extracted from recycled equipment • processing costs • documentation requirements • shipping and handling costs of moving equipment
VALUE RECOVERY
Value Recovery Overview
VALUE RECOVERY
Sample Questions
1. What factors drive the cost of services for electronics recycling? To what extent does each of these drivers contribute to the proposed cost?
2. How do you determine the fair market value of our assets?
3. Indicate what, if any, price protection will be available beyond the specified pricing term.
4. How long does it take to generate financial settlements for assets processed?
5. Does your company directly handle recycling of assets with no resale value or do you depend on partners to handle recycling services?
6. How does your organization modify your processes based on changing economic conditions?
VALU
E R
ECO
VER
Y: S
ampl
e Q
uest
ions
Time is the enemy of retired computer assets. Advances in technology render current equipment obsolete within a few years.
VALUE RECOVERY
Resale of IT Assets
A vendor that has a robust, diversified and agile buyer network can maximize your financial return on those assets by quickly moving equipment through their resale network.
VALUE RECOVERY
Resale of IT AssetsSample Questions
1. Describe how your services provide a strategic advantage in the marketplace compared with other ITAD vendors.
2. What value added services do you offer to generate higher ROI in the marketplace?
3. How does your company manage their inventory (e.g., the time limit on how long it’s held before being scrapped)?
4. Are you a Microsoft Authorized Refurbisher?
5. What types of equipment do you resell?
6. How do you ensure revenue from mobile devices is maximized?
RES
ALE
OF
IT A
SSET
S: S
ampl
e Q
uest
ions
VALUE RECOVERY
Resale of IT AssetsSample Questions
7. Please provide the total number of companies to which you are currently providing asset recovery and disposal services, indicating the number of those companies that are Fortune 1000.
8. How does your company split proceeds (net/gross) from asset remarketing and what are the percentages?
9. Describe channels used to remarket IT assets.
10. Describe the types of equipment and parts that your organization resells through wholesale and retail channels. How do you determine what gets sold where?
11. Does your company support redeployment, employee sale or charity programs? Describe.
RES
ALE
OF
IT A
SSET
S: S
ampl
e Q
uest
ions
Recycling obsolete and broken electronics conserves natural resources by reducing the need to extract and process raw materials to manufacture new products. A full-service recycling facility will include• a secure logistics area for shipping & receiving• designated areas for managing parts harvesting, resale,
recycling, data destruction and hazardous materials• sophisticated recycling equipment for optimum commodity recovery• a storage area for separated equipment and commodity materials.
VALUE RECOVERY
Recycling
VALUE RECOVERY
RecyclingSample Questions
1. Does your company have any product or equipment technologies that represent a market advantage in the recycling of assets?
2. Describe your process for recycling assets that have little or no market value or that are scheduled for destruction per the client’s instructions.
3. What IT equipment and electronic waste is included in your disposition process?
4. Describe a recent situation where your company has added value to a client’s project via cost reduction ideas or process improvements.
5. If awarded, would you allow our quality representatives to conduct on-site audits of your quality processes and environmental, health and safety systems?
REC
YCLI
NG
: Sam
ple
Que
stio
ns
VALUE RECOVERY
RecyclingSample Questions
6. Do you have the proper infrastructure to perform recovery, redeployment and end-of-life disposition of our assets? Explain.
7. State your approach to environmental management systems, including adherence to international standards. Briefly explain the relevance and applicability of such standards to your equipment disposal process.
8. Do you perform regular environmental, health and safety audits on your operations? Describe.
9. List standard industry certifications and date certified. Describe any other applicable processes and methodologies.
10. How will you assure that all local/national/international rules and regulations are complied with at all times?
REC
YCLI
NG
: Sam
ple
Que
stio
ns
Electronics contain commodities that can be used to make new products, but they also contain several hazardous materials, such as chromium, lead and mercury. Batteries, mercury relays and bulbs, PCB capacitors, toner cartridges and leaded glass from CRT monitors require special handling to eliminate threats to human health and the environment.
VALUE RECOVERY
Hazard Removal
TIP: Make sure your vendor can provide a certified audit trail of how hazardous materials are handled.
VALUE RECOVERY
Hazard RemovalSample Questions
1. Highlight all byproducts created by the recycling process and how your company handles and disposes of those byproducts.
2. What is your process for identifying, removing and disposing of regulated Materials of Concern or R2 focus materials?
3. Describe your process to review and audit downstream processors. Provide a sample audit questionnaire.
4. How do you prevent the export of hazardous waste, including circuit boards, whole CRTs, and batteries to non-OECD countries for shredding, treatment or handling in any way?
HA
ZA
RD
REM
OVA
L: S
ampl
e Q
uest
ions
There are several aspects of IT asset disposition that have a bearing on corporate compliance, but a lapse in environmental or legal responsibility can have devastating financial and reputational consequences to an organization.
COMPLIANCE
Compliance Overview
COMPLIANCE
Sample Questions
1. Describe the measures you take to protect clients from incidents related to consequential risk.
2. Is your company a party in any pending lawsuits? If yes, please explain all pending lawsuits.
3. In the event of a local disaster or emergency, please describe how your company would continue to provide uninterrupted services.
COM
PLIA
NCE
: Sam
ple
Que
stio
ns
COMPLIANCE
Environmental Compliance
Some companies have faced ugly headlines and bad press when their e-waste has been illegally dumped by their IT asset disposition vendor.SRS encourages companies to audit potential IT asset disposition vendors to ensure they operate to best practices and will responsibly manage your retired IT assets.
COMPLIANCE
Environmental ComplianceSample Questions
1. Describe your asset recovery, information privacy and security and environmental liability risk management processes.
2. Has your company ever illegally exported e-waste?
3. Will any e-waste or hardware be exported to a foreign country, either directly or indirectly? If yes, is there clear visibility to the waste stream exported?
4. Does your organization export nonworking equipment? If so, to what countries do you export?
5. Has your company ever been found to be in non-compliance with R2 practices? Please explain.
ENVI
RO
NM
ENTA
L CO
MPL
IAN
CE: S
ampl
e Q
uest
ions
COMPLIANCE
Indemnifi cation
Disposal of electronic equipment may subject your company to potential liability because of illegal dumping, environmental contamination, lack of documentation of disposition, and privacy violations resulting from digital data breaches.When equipment is removed from your company’s location, look for your ITAD vendor to provide indemnifi cation from liability. This protection may take the form of guarantees, insurance and/or formalized transfers of custody.
COMPLIANCE
IndemnificationSample Questions
1. Describe your asset recovery, information privacy and security and environmental liability risk management processes.
2. Has your company ever illegally exported e-waste?
3. Will any e-waste or hardware be exported to a foreign country, either directly or indirectly? If yes, is there clear visibility to the waste stream exported?
4. Does your organization export nonworking equipment? If so, to what countries do you export?
5. Has your company ever been found to be in non-compliance with R2 practices? Please explain.
IND
EMN
IFIC
ATIO
N: S
ampl
e Q
uest
ions
COMPLIANCE
Equipment Tracking
Equipment Pick Up
Clients want an easy way to request equipment pickups and to track equipment throughout the reuse and recycling process.Questions at this stage of the process typically focus on the client service aspects of pickups: a vendor’s tracking capabilities, level of service (e.g., who is responsible for physical inventory and packaging of assets) and reporting.
COMPLIANCE
Equipment Pick UpSample Questions
1. Are you capable of doing de-installation at the site level?
2. Describe how we will be instructed to request processing services from your company. Include any documents or forms that will be required.
3. Provide information pertaining to equipment pickup, packaging, minimum quantities or weight, time frame, etc.
4. Are there electronic items that you will not pick up? If so, please provide a list.
5. If on-site packaging is required, describe who would perform the packaging and list their qualifications.
EQU
IPM
ENT
PICK
UP:
Sam
ple
Que
stio
ns
COMPLIANCE
Equipment Tracking
Transporting Equipment
Chain of custody and freight costs are the most common issues that emerge regarding transport of equipment.For clients who operate regionally, nationally or globally, a vendor’s footprint can be important. Whether a vendor has a single location or multiple locations can impact total freight costs.
COMPLIANCE
Transporting EquipmentSample Questions
1. How do you ensure chain of custody for our assets?
2. Please detail your company’s policy in relation to responsibility/liability for disposed assets in transit. This would also extend to any data contained on the asset.
3. How do you ship, track, scan and monitor inventories, and audit and confirm equipment matches?
4. Describe your reconciliation process if assets or damaged or lost in transit.
5. Do you own a fleet of trucks to transport client assets? Please describe.
6. How do you proactively work with clients and transport companies to manage logistics costs?
TRA
NSP
OR
TIN
G E
QU
IPM
ENT:
Sam
ple
Que
stio
ns
COMPLIANCE
Equipment Tracking
Receiving Equipment
A defined process for receiving equipment securely and quickly is important in the handling process.Accurately tracking assets is important for accurate asset reporting. Some clients require tracking at the asset level (by serial number) while those with only electronic scrap may be satisfied with tracking equipment at the pallet or truck weight level.
COMPLIANCE
Receiving EquipmentSample Questions
1. When equipment arrives at your facility, do you reconcile the equipment received by item count, description and serial number, if applicable, against bills of lading, pickup requests or supporting documentation provided by the client?
2. If assets are not going to be live unloaded at your facility, containers and trailers must be stored in a secure area to prevent unauthorized access or manipulation. Please describe your procedures for reporting and preventing unauthorized entry into containers, trailers or container storage areas.
3. Attach an explanation of the processes you use to ensure no company data, files, information, identifying marks, or asset tags remain on assets when they are either sold or destroyed.
REC
EIV
ING
EQ
UIP
MEN
T: S
ampl
e Q
uest
ions
COMPLIANCE
Equipment Tracking
Sorting Equipment
Once received at the vendor’s facility, equipment will be sorted and separated for resale or recycling.
TIP: It’s important for clients to understand each vendor’s “cutoff” point in terms of what they consider suitable for resale and what they consider “scrap,” suitable only for recycling.
COMPLIANCE
Sorting EquipmentSample Questions
1. Describe your capability to ensure the physical integrity of shipments as they flow through your operation, including your process for communicating any loss or damage to the client.
2. Describe your asset tracking procedure.
3. Will vendor document the physical and working condition of all equipment handled, including condition at time of receipt and updates to condition as it moves through the recovery/redeployment/disposal process?
4. How do you determine which assets can be sold and which are to be recycled?
5. Provide details for grading and testing assets and how you determine the fair market value of equipment.
SOR
TIN
G E
QU
IPM
ENT:
Sam
ple
Que
stio
ns
COMPLIANCE
Subcontractors
For national and global projects, a potential vendor may use subcontracted vendors to extend their reach geographically to properly support clients with many physical locations.All ITAD vendors will use subcontracted companies to manage hazardous waste from obsolete electronics, such as batteries, leaded glass from CRT monitors, mercury relays and bulbs, PCB capacitors and toner cartridges. ITAD companies with limited capabilities may offer only remarketing or recycling services and not both.
COMPLIANCE
Subcontractors
A potential vendor’s use of subcontractors needs to be taken into consideration when making a decision.The use of subcontractors can affect overall data security and corporate compliance mandates. The best ITAD vendors will have defined and transparent methods for vetting potential subcontractors.
COMPLIANCE
SubcontractorsSample Questions
1. Describe the level of use of third-party contractors for freight services, the initial evaluation and selection criteria used to select your third-party contractors, and the ongoing audit procedures used to ensure proper safeguards and service levels are maintained.
2. For what percentage of the total services provided do you rely on third-party providers to deliver? What type of certification do they have (list by third-party provider)?
3. Describe the services that are outsourced and why.
4. Describe how you approve and audit subcontractors.
5. What downstream audit reporting is available for review?
SUB
CON
TRA
CTO
RS:
Sam
ple
Que
stio
ns
COMPLIANCE
Portal & Reporting
ITAD reports provide an audit trail for each asset and demonstrate final disposition of asset, whether resold, redeployed or recycled. A client portal managing ITAD services will typically provide a mechanism to allow clients to place pick-up requests, to track assets during processing and generate asset reports, certificates of data destruction and final settlement reports.
COMPLIANCE
Portal and ReportingSample Questions
1. Do you offer a client portal for managing ITAD services? Please describe the capabilities of the portal.
2. How is access and security managed for client portal?
3. Are we able to generate customized reports? Please describe capabilities. Are there costs or fees to generate these reports?
4. Provide samples for standardized reports available.
5. Describe the integration of your systems and how that affects the ability of clients to generate custom reports.
6. How long are records kept regarding how assets were disposed?
POR
TAL
AN
D R
EPO
RTI
NG
: Sam
ple
Que
stio
ns
SECURITY
Security Overview
In addition to local/national/international regulatory requirements, many large companies have internal security compliance mandates and data security mandates that must be satisfied.Data protection legislation, such as the EU’s General Data Protection Regulation (GDPR) continues to become more restrictive. Most companies want to see documented and secure processes that provide full accountability for asset disposition. This accountability may come in the form standard operating procedures (SOPs), business continuity plans, certifications, security protocols, asset disposition reports and certificates of data destruction.
SECURITY
SecuritySample Questions
1. Explain how your company ensures adherence to all applicable laws with your IT asset disposition services. Are you in compliance with all applicable regulations and permits?
2. Attach an explanation of the processes you use to ensure that no company data, files, information, identifying marks or asset tags remain on assets when they are either sold or destroyed.
3. How does your organization identify consequential risks? Is there a formal statement from your organization on risks and how they are managed? Please provide, if available.
SECU
RIT
Y: S
ampl
e Q
uest
ions
SECURITY
Facility Security
In addition to assessing a potential vendor’s organization and the procedures for screening and training employees, also evaluate the facility security processes and systems that the company has in place.
SECURITY
Facility SecuritySample Questions
1. Describe the security measures you have in place to ensure the safety of our assets while being processed at your facility.
2. What monitoring, auditing oversight and incident response procedures do you have in place to ensure that any security breaches are promptly detected and resolved?
3. Describe access control to the building or buildings where equipment is stored and/or processed.
4. What process do you propose for regularly informing client of identified security breaches and audit results?
5. Describe any written policies your firm has in place governing information security, network security, physical security and other environmental controls.
FACI
LITY
SEC
UR
ITY:
Sam
ple
Que
stio
ns
SECURITY
Facility SecuritySample Questions
6. Describe security policies and procedures, including what policies exist and what is covered by those policies? Who is responsible for information and physical security and what responsibilities do they have? Are these responsibilities formally documented?
7. How are employees hired and managed to ensure consistent, reliable and secure processing of assets?
8. Does your company wholly occupy the building? If no, describe the separation between workspaces (e.g., full walls, no crawl space).
9. How is “preservation of order” maintained at your processing facilities?
FACI
LITY
SEC
UR
ITY:
Sam
ple
Que
stio
ns
SECURITY
Data Destruction
Securing All Digital DataDigital data exists on many devices today, including computers, servers, mobile devices, SANs and archive tapes. Copiers, printers and scanner hard drives need to be secured.
Commonly referenced guidelines for secure data destruction:U.S. – NIST SP 800-88r1U.K. – HMG IA Standard No. 5Germany – DIN-66399
IMPORTANT: Data destruction for solid state devices is different from magnetic devices. Make sure data on solid state devices is effectively destroyed!
SECURITY
Data Destruction
On-Site (At Your Office) or Off-Site (At Vendor Facility)More and more companies require that data is destroyed prior to leaving their custody. In these cases, they are able to witness destruction and eliminate any security risks of loss or misplacement during transport.
Typical options for on-site or off-site destruction include degaussing, crushing and shredding, where the storage media is physically destroyed or rendered unusable. Data erasure overwrites data on storage devices and allows secure reuse of storage media.
Most of the sample questions apply for on-site or off-site services.
SECURITY
Data DestructionHard Drive Destruction
Hard drives that will not be reused are rendered inoperable or are physically destroyed.
DegaussingMagnetic drives and tapes can be rendered inoperable through degaussing, a simple and quick process. Degaussing is NOT an effective solution for solid state hard drives (SSDs).
TIP: NIST SP 800-88r1 refers to degaussing as “Purge Sanitization Method”
SECURITY
Data DestructionHard Drive Destruction
Physical DestructionThe most common destruction methods are crushing or shredding hard drives. It is important to note that there are different guidelines for the preferred shred size for magnetic drives compared to solid state drives.
TIP: NIST SP 800-88r1 describes physical destruction options as “Destroy Sanitization Method”
SECURITY
Hard Drive DestructionSample Questions
1. What storage media can you destroy? Are there media you cannot destroy to industry standards?
2. What data destruction services do you offer?
3. How do you provide certificates of destruction for data destruction services?
4. Do you have audit procedures in place to ensure that all data is removed from all equipment? If yes, please describe.
5. Describe the security measures you have in place to ensure the safety of our assets and the information stored on our hard drives.
6. How do you identify solid state hard drives (SSD) and how do you manage data destruction for these devices?
HA
RD
DR
IVE
DES
TRU
CTIO
N: S
ampl
e Q
uest
ions
SECURITY
Hard Drive DestructionSample Questions
7. How do you accurately inventory storage devices that are destroyed?
8. How does your company handle hard drives registered as bad or non-operable?
9. Is there a minimum volume of hard drives required to justify on-site services?
10. What data destruction solution do you offer to support remote employees?
11. How do you accurately inventory storage devices that are destroyed at client location? How do you dispose of destroyed drives?
12. How do you ensure all media is properly accounted and that no drives are skipped during data destruction process?
HA
RD
DR
IVE
DES
TRU
CTIO
N: S
ampl
e Q
uest
ions
SECURITY
Data DestructionHard Drive Reuse
Data erasure is the preferred data destruction method for hard drives slated to be resold or reused. Reusing hard drives maximizes the value recovery of retired assets, but is time consuming and seldom makes economic sense for drives smaller than 1 TB.
TIP: NIST SP 800-88r1 refers to data erasure as “Clear Sanitization Method”
SECURITY
Hard Drive ReuseSample Questions
1. What is your process for overwriting hard drives? Please describe the overwriting software used, the overwriting method used and how erasure is validated.
2. Is an external audit for data wiping (processes and equipment) performed regularly? Please describe.
3. What are your policies and procedures regarding disk wipe certificates? Do you keep a copy of each certificate? How long are they kept on file? How do we obtain copies of the certificates, if needed? How do you capture the data?
HA
RD
DR
IVE
REU
SE: S
ampl
e Q
uest
ions
Many asset disposition programs are built on the core values of realizing financial return, ensuring 100% data destruction, and adhering to corporate compliance directives.
SUSTAINABILITY
Sustainability Overview
Besides satisfying these requirements, companies are increasingly expressing an interest in finding ways to structure their asset disposition programs to help them achieve environmental and sustainability metrics.
Through the responsible reuse and recycling of your retired equipment, your company helps to conserve limited natural resources, reduces the need for strip mining, decreases overall energy demands and CO2 emissions, and avoids contributing to landfill volumes.
SUSTAINABILITY
Sustainability Overview
Recycled commodities are an important part of the circular economy in recovering material that can be used in producing next generation products.
SUSTAINABILITY
Sample Questions
1. Describe how your company measures its environmental impact.
2. Describe how you can help a client enhance its environmental reputation.
3. Has your company or any subsidiary ever been favorably cited or recognized for its environmental compliance practices? If yes, briefly describe.
4. Explain the expertise, methods, and processes you use to achieve environmental and social governance metrics. Please include any published reports demonstrating this.
5. Describe your participation in and commitment to programs supporting sustainability and the circular economy.
SUST
AIN
AB
ILIT
Y: S
ampl
e Q
uest
ions
Your client-vendor relationship will be more successful if you select a vendor that is a good fit for your organization.Vendor size, financial stability, services offered and industry reputation and position are all factors to consider during the selection process. When selecting an electronics reuse and recycling partner, keep in mind that freight and logistics costs can be significant, so the proximity of a vendor’s facilities to your own may also be important to you.
CORPORATE REVIEW
Corporate Review Overview
CORPORATE REVIEW
Sample Questions
1. Indicate how your company is structured (e.g., publicly held corporation, partnership, sole proprietorship, privately held corporation, etc.).
2. How many years has your company been in continuous business? (Please list any previous names your business has operated under and the dates.) Give details of any ownership changes within the last five years.
3. Provide details of the size and scope of the activities of the company, including parent or subsidiary companies, specifying the number of employees (both full-time and number of contractors), and the locations of the company’s offices.
4. What is the added value your company can provide to our organization?
COR
POR
ATE
REV
IEW
: Sam
ple
Que
stio
ns
CORPORATE REVIEW
Sample Questions
5. What is the largest disposal effort that your company has processed in the last three years based on revenue?
6. Provide two or three client references for your services.
7. Describe your geographic coverage area and whether you intend to engage subcontractors to assist with that coverage. (Details of subcontractors would be required during award phase, if applicable).
COR
POR
ATE
REV
IEW
: Sam
ple
Que
stio
ns
CORPORATE REVIEW
Sample Questions
8. Do you perform background checks, including reference checks, credit checks and criminal record checks on prospective employees?
9. Are background checks performed internally or are they outsourced to a third-party provider?
10. Are employees and contractors (third-party processors, cleaning companies, etc.) required to sign a nondisclosure or confidentiality agreements stating they will keep information obtained as part of their employment confidential?
11. How are employees trained on policies and procedures? How often? Do employees sign off on training?
COR
POR
ATE
REV
IEW
: Sam
ple
Que
stio
ns
Thank you for your interest in Sims Recycling Solutions
We understand that relevant industry information allows companies to make better decisions about partnering with the right IT asset disposition (ITAD) supplier. We can offer further assistance in helping to define your corporate requirements for your ITAD program for compliance, data security and sustainability programs, please contact us today at www.simsrecycling.com/contact