Secure equipment repair policy and confidentiality agreement
- Originally Published:
- Sep 2016
This policy and agreement will help you define security requirements and monitor the status of equipment being repaired when your organization works with third parties to fix failed systems.
From the policy:
Organizations must frequently work with third parties to repair laptops, desktops, tablets, smartphones, servers, and other IT equipment. This policy ensures that the organization maintains regulatory and best business practice security compliance while tracking systems when they are being repaired.
Authorized third parties that assist the organization in diagnosing and repairing servers, desktops, laptops, tablets, smartphones, and other IT equipment failures must sign a Confidentiality Agreement. It’s designed to ensure that both the organization and the third-party repair provider understand the obligations and safeguards each must undertake to protect the organization’s applications, software, email, documents, files, and other data from unauthorized access.
The Confidentiality Agreement must be executed before devices and equipment can be entrusted to a third party for troubleshooting and repair. It must also be in place before organization servers, desktops, laptops, smartphones, tablets, and other IT equipment can be transported offsite for diagnostic testing and repair or reinstallation.
If IT equipment must be returned to the manufacturer for repair, the data storage device(s) must be removed prior to the unit being shipped to the manufacturer. If the data storage device must be present in the system for testing and troubleshooting when the unit is sent offsite for repair, all organization data, files, and information must be securely removed before the unit is sent to the manufacturer. No data storage device can leave the organization’s custody without a signed Confidentiality Agreement on file from the service provider.
The IT department must track systems sent offsite for diagnostic testing, repair, and/or reinstallation using the System Repair Log. The IT director is responsible for implementing and maintaining the System Repair Logs and Confidentiality Agreements with repair providers.
Already a member? Log in here