Introduction
As a regulatory body in the water and electricity sector in the UAE, XYZ employs various IT equipment that needs to be properly managed. In particular, it must be appropriately replaced and disposed of. Based on the Abu Dhabi Government (2013) Information Security Standards and best practices in the field, the following policy is proposed.
Responsibility and Records
According to the Abu Dhabi Government (2013) Information Security Standards, the XYZ Organization must authorize appropriate officials with the responsibility to manage IT equipment. Their explicit approval is required for the purchase, replacement, reuse, and disposal of the equipment.
The IT department is responsible for the production, review, and maintenance of IT equipment inventory, formulation of requests for replacement and disposal, and management of the equipment throughout its lifecycle.
The inventory of all the IT assets needs to be kept. The required information includes the owner, inventory number, category (for example, “desktop”), model and brand, date of purchase and the expected date of retirement, the purpose of the asset, and the classification of the information that it stores (ranging from “public” to “secret”), as well as its location. The inventory is to be timely updated to reflect the replacements and removals of assets.
Physical IT assets need to carry a label with their inventory number. The labels must be timely updated and replaced when they are no longer legible.
As transition periods in the lifecycle of information-related assets, the processes of replacement and removal of IT equipment need to be provided with Security Risk Management plans.
The presented policy must be regularly reviewed to ensure that it corresponds to the developments in legislation and remains in line with the company’s needs, agenda, and vision.
The employees are encouraged to contribute suggestions to be considered for the introduction of ideas in the current policy or exclusion from it.
Depreciation Rates
While the UAE Government has been planning some changes in taxation, for the time being, there is no corporate income tax (Bouyamourn, 2015). As a result, the depreciation rate for XYZ does not depend on taxes. However, it is concerned with other numerous aspects including the use of the equipment, its tendency to become obsolete, and the situation at the market (Epstein, Jermakowicz, & Epstein, 2008).
As a result, the standard value depreciation within an industry is difficult to assess. However, it is possible to estimate the approximate number of years during which a piece of equipment can be used safely. It is important to bear in mind that the modern technologically dependent environment is being assisted by rapid developments in science, which renders IT products obsolete at a relatively fast rate. Here, the regulation for the replacement of various types of IT equipment is based on their technical characteristics, purpose, and best practices (Unhelkar, 2011; Vermaat, Sebok, & Freund, 2014). The replacement should also be considered from the point of view of environmental costs: newer technologies are typically more environmentally-friendly (Sloan, 2011).
Servers include high-performance assets of critical importance, which means that their replacement is required no later than after three years of use. Given the fact that they are not involved in the similarly critical performance, desktops are to be replaced after five years of use. The servers that are not involved in high-performance activities may also be replaced after five years of use. The definition of the performance that is required of a server is to be provided by the IT department team.
Laptops, if they are provided for employees, are to be replaced after four years as their state typically deteriorates faster than that of desktops. Printers, as well as other “desktop peripherals” (for example, scanners), can be used for seven years, but their deterioration state should be considered and assessed by the IT department team. The peripherals cannot be used for more than seven years.
The peripherals do not include network and security devices; the latter are supposed to be used for five years. The wires of a system can typically serve for the longest amount of time (up to ten years). The wires cannot be used for longer than ten years, and the IT department team is expected to provide important information about possible malfunctions.
Before the end of the safe period of use, the hardware can be replaced if damaged or broken and irreparable. The IT department team is expected to define the reparability of the equipment.
The IT department and other employees are encouraged to advocate for the replacement of functioning equipment with new technologically advanced models. Their suggestions will be considered by the designated officials.
Environment Protection and Green Initiatives
Environmental responsibility is not only ethical and vital for the future of the planet; it supports the sustainability of a company and improves its public image (Dao, Langella, & Carbo, 2011). Green IT is one of the initiatives that support environmental responsibility and sustainability in organizations. It is aimed at the reduction of power consumption (which presupposes cost-efficiency), improvement of efficiency, and even promotion of collaboration and interaction between employees (Deng & Ji, 2015). In this policy, the use of green IT technologies is regarded as beneficial and, therefore, desirable for XYZ company.
With respect to a replacement, the key aspect of responsible management is concerned with reverse logistics, which can be defined as the movement of good from the point of consumption, that is, XYZ Organization (Daugherty, Richey, Genchev, & Chen, 2005). Here, two aspects are of importance: waste management and reuse.
If it corresponds to safety requirements, the reuse of the equipment is possible both within the XYZ Organization and outside it. The equipment may be sold or donated if deemed appropriate. The possibility of selling or donating to staff is not ruled out. Damaged items may be sold, and the purchaser must be provided with accurate data on the state of the piece of equipment.
If a piece of equipment cannot be safely reused and especially if it contains hazardous materials (for example, LCD screens), it needs to be handed for final disposal to the appropriate authority or agency.
The “e-waste” management and recycling in the UAE is developing (Al Wasmi, 2015). It is suggested that XYZ ensures collaboration with recycling agencies in the UAE.
Prior to removal (and subsequent selling, donating, reusing, or disposal), the explicit approval of the designated official must be obtained for every piece of equipment.
Prior to removal and subsequent change of purpose, the data from the equipment must be cleared (see below).
Data Protection Laws in the UAE
The UAE does not have a federal protection data law; rather, this sphere of activities is being regulated by a number of laws that recognize the rights for privacy and define confidential information (Abuhawash, 2016). The legislation that has an impact on data management in the XYZ Organization includes Federal Law No. 3 of 1987 (personal and corporate data), Federal Law No. 3 of 2003 (telecommunications), Federal Law No. 5 of 2012 (cybercrime), and the Privacy of Consumer Information Policy.
Apart from that, the Dubai International Financial Centre provides two information-related 2012 laws that are “mainly consistent with data protection laws of the European Union and UK common law” and applicable to activities carried out within the Centre (Abuhawash, 2016, para. 3).
All this legislation settles the definitions for transparency and confidentiality and the penalties for breaching them. Being a regulatory body in the UAE, XYZ Organization is also expected to comply with the data control standards defined by the Abu Dhabi Government (2013). The present policy is created with the help of this document.
IT Equipment Disposal Policy
Fixed assets, storage media, and other equipment that are considered to be IT equipment are supposed to be disposed of in a manner that is in line with the OM.22 requirements of the Abu Dhabi Government (2013) Information Security Standards.
In particular, all the information of the XYZ Organization must be cleared from the asset, and the effectiveness of the procedure must be verified. The re-use mentioned in the previous part is only possible after the asset carries no XYZ information.
If the data that had been stored is classified as “confidential” or “secret” as defined by the Abu Dhabi Government (2013) Information Security Standards (p. 117), the storage media may be destroyed via disintegration, incineration, pulverization, or melting.
The tags and labels of the XYZ Organization should be removed from the equipment before disposing of it.
The asset inventory must be updated to reflect the changes in the assets available.
Procurement Methods
Procurement of IT equipment must be carried out in line with the TP.1 paragraph of the Abu Dhabi Government (2013) Information Security Standards (p. 96).
Abu Dhabi Government (2013) recommends procuring with the help of requests for proposals (a more complicated method that, however, provides the most detailed information about the option available) and requests for quotation (easier, but less detailed and meant for the procurement of small value products) (Turner, 2011).
XYZ must ensure that the proposed equipment corresponds to the Abu Dhabi Government (2013) Information Security Standards.
It is recommended that environmental costs are included in the appraisal of options (Sloan, 2011).
XYZ will benefit from considering the reputation of the potential supplier along with the reviews on its work.
The Purchase of Software
The equipment must be supplied with the required software. The software must be licensed and timely updated. The standard software is to be defined for the employees depending on the duties that they must carry out. No additional software can be installed on XYZ Organization IT equipment without prior notification and explicit approval of the IT department team and the authorized official. However, the employees are encouraged to advocate for the introduction of new advanced software in the standard package.
Delivery and Installation
All the equipment must be checked upon delivery: it is not to be damaged or contain malware and must correspond to security standards. The IT department team is responsible for approving the equipment.
The new equipment must be provided with the label that contains the information about the party owning it and its inventory number.
The inventory must be updated to include the new equipment.
The new equipment must be appropriately installed. The installation may be carried out by the IT department team or that of the supplier. The IT department team must confirm that the installation is successful and the equipment can be used.
References
Abu Dhabi Government. (2013). Information Security Standards. Web.
Abuhawash, G. (2016). Global Legal Group on United Arab Emirates Data Protection 2016. Web.
Al Wasmi, N. (2015). UAE recycling: bringing e-waste concerns to the surface. The National. Web.
Bouyamourn, A. (2015). UAE Government draws up sales and corporation tax plans. The National. Web.
Dao, V., Langella, I., & Carbo, J. (2011). From green to sustainability: Information Technology and an integrated sustainability framework. The Journal Of Strategic Information Systems, 20(1), 63-79. Web.
Daugherty, P. J., Richey, R. G., Genchev, S. E., & Chen, H. (2005). Reverse logistics: Superior performance through focused resource commitments to information technology. Transportation Research. Part E, Logistics & Transportation Review, 41(2), 77-92. Web.
Deng, Q., & Ji, S. (2015). Organizational Green IT Adoption: Concept and Evidence. Sustainability, 7(12), 16737–16755. Web.
Epstein, B., Jermakowicz, E., & Epstein, B. (2008). Wiley IFRS policies and procedures. Hoboken, N.J.: John Wiley & Sons.
Sloan, T. (2011). Green renewal: incorporating environmental factors in equipment replacement decisions under technological change. Journal Of Cleaner Production, 19(2-3), 173-186. Web.
Turner, R. (2011). Supply management and procurement. Ft. Lauderdale: J. Ross Publishing.
Unhelkar, B. (2011). Green IT strategies and applications. Boca Raton: CRC Press.
Vermaat, M., Sebok, S., & Freund, S. (2014). Discovering computers. Boston, MA: Cengage Learning.