Also important is the need for policies governing the use of non-company storage devices and systems. For every control you put in place there will be weaknesses what if they use their own USB drive? The idea is to put controls in place that are commensurate with the risks. Hypothetically, if an organization is worried about portable devices and external storage then one must wonder if the data should even be allowed outside of controlled facilities.
Units slated for donation or resale need to be taken into consideration as well. For these devices, not only must their data be removed, but the software licensing must also be taken into account. With MS Windows, most PCs have their certificate of authenticity (COA) displayed on the unit so it typically transfers with the PC. However, productivity packages such as Office do not automatically change hands.
On a related note, an increasing number of municipalities have put laws in place regarding the disposal of computer systems due to the huge volume of computer-related equipment going into dumps, known as e-waste. Some of these components are fairly toxic.
There is a growing business segment of vendors that specialize in picking up e-waste and ensuring that its securely disposed of. As with any vendor, their controls should be verified prior to contracting with them and routinely audited to verify their compliance with stated policies and procedures.
The time and effort that companies spend reviewing their policies for decommissioning devices to be donated, sold or discarded is time well spent. It is far better to prevent incidents than to be forced into a frenzied scramble to recover afterwards.