Procurement Workflow — Five Stages in Order
| Stage | Who Acts | What Happens | Key Output |
|---|---|---|---|
| 1. User Request | Employee or department | Documents the need: technical specifications, business justification, budget source, manager approval | Formal purchase request with approvals |
| 2. IT and Purchasing Review | IT department + purchasing/finance | Evaluates technical fit, budget availability, existing contracts, and preferred vendor lists | Approved or rejected request; vendor selection |
| 3. Supplier Negotiation | Purchasing department + vendor | Negotiates pricing, delivery schedule, licensing terms, warranty, SLA obligations | Agreed contract or purchase terms |
| 4. Purchase and Delivery | Purchasing department | Generates purchase order; vendor delivers goods or activates services | Delivered assets + vendor invoice |
| 5. Invoice and Payment | Finance / accounts payable | Processes payment per invoice terms (immediate, net-30, net-60); records in financial system; assets logged into tracking system | Payment confirmation + asset record created |
Asset Classification — Hardware vs. Software
| Property | Hardware Assets | Software Assets |
|---|---|---|
| Examples | Servers, laptops, routers, switches, storage drives, printers | OS licenses, application licenses, SaaS subscriptions, cloud service contracts |
| Financial treatment | Capital expenditure (CapEx) — one-time purchase of a long-lived physical asset | Operating expenditure (OpEx) — ongoing business expense (subscription, license fee) |
| Depreciation | Yes — value declines over time per depreciation schedule; affects tax liability each year | Generally no — expensed in the period incurred; not depreciated |
| Asset tag | Yes — physical tag attached to device | No physical tag; tracked by license key, subscription ID, or software record |
| Disposal consideration | Media sanitization + physical destruction + certificate of destruction | License termination, deactivation, key destruction/deletion |
Asset Tracking Components — Three Layers
| Layer | What It Tracks | Tool / Method | Security Benefit |
|---|---|---|---|
| Inventory | Every asset in the organization: all devices by type, make, model, location, assigned user | Asset management software (ServiceNow, Snipe-IT, Lansweeper); network scanning tools | Cannot secure what you don't know you have; inventory drives patch and vulnerability management |
| Enumeration | Individual components within each asset: CPU, RAM, storage, peripherals, installed software | Agent-based discovery tools; configuration management databases (CMDB) | Supports precise troubleshooting, accurate replacement, detailed security assessment; identifies unsupported components |
| Asset Tags | Physical identity — links the physical object to its database record | Barcode labels (handheld scanner), RFID tags (passive or active), visible tracking numbers | Rapid physical inventory; theft deterrence; chain-of-custody for disposal |
Media Sanitization Methods — Capability and Use Case
| Method | How It Works | Drive Usable After? | Works on SSDs? | Best For |
|---|---|---|---|---|
| Secure overwrite | Software overwrites all sectors with random data; prevents recovery | Yes — drive fully functional | Partial — may miss wear-leveling areas; crypto erase preferred | Reuse by another employee; resale; donation |
| Drilling / Hammering | Physical puncture or deformation of storage platters | No | Yes — destroys flash chips physically | Small quantities; quick on-site destruction; no specialized equipment |
| Shredding / Pulverization | Industrial machinery reduces drives to fragments | No | Yes | Large volumes; high assurance; third-party destruction services |
| Degaussing | Strong electromagnetic field erases magnetic patterns; also destroys servo tracks | No — drive mechanically disabled by loss of servo tracks | No — SSDs use flash memory, not magnetic storage; degaussing has no effect | HDD-only environments; adds to physical destruction workflow for HDDs |
| Incineration | High-temperature destruction; reduces media to ash | No | Yes | Classified/government data; highest-assurance requirement; no fragment survivability |
Certificate of Destruction — What It Contains and Why It Matters
| Element | What It Includes | Why It Matters |
|---|---|---|
| Device identification | Serial numbers of each destroyed drive, matched against asset inventory | Proves specific drives were destroyed, not substituted or diverted; weak certs list only quantities |
| Destruction method | Shredding, degaussing, incineration, or combination | Confirms method appropriate for data sensitivity level; regulatory requirements may specify methods |
| Date and location | Date destruction occurred; facility address or on-site location | Creates timestamped chain of custody; establishes when data became inaccessible |
| Vendor authorization | Technician/supervisor name, vendor signature, company seal | Accountability for the destruction process; legally binds vendor to the statement |
| Compliance use | Referenced in compliance audits (HIPAA, PCI DSS, SOX) | Demonstrates due diligence in data disposal; supports audit defense and regulatory reporting |
Data Retention — Three Drivers with Examples
| Driver | Requirement Type | Data Examples | Consequence of Failure |
|---|---|---|---|
| Regulatory compliance | Mandatory minimum retention period set by law or regulation | HIPAA: patient records (varies by state; 6-10 years). SOX: financial records (7 years). SEC/FINRA: trade records and emails (3-7 years depending on type). GDPR: limits unnecessary retention | Regulatory fines, legal sanctions, loss of operating licenses, evidence spoliation in litigation |
| Operational recovery | Best practice retention to support business continuity | Daily backups retained 30 days (accidental deletion recovery). Weekly archives retained 1 year. Disaster recovery copies at alternate site. System logs retained 90 days (security analysis window) | Inability to recover deleted data; inability to restore after disaster; gap in incident investigation timeline |
| Data type differentiation | Different categories have different retention requirements | Executive emails vs. break room scheduling emails. Financial transaction logs vs. operational logs. Medical records vs. marketing materials | Retaining everything forever: storage cost, increased breach exposure. Blanket deletion: regulatory violation, recovery failure |