Everything You Need to Know about ITAD Certifications
This is part four of our Certifications 101 series. We are posting a new part weekly until we’ve covered the major certifications and standards related to the ITAD industry. We hope to provide you with a comprehensive understanding of each certification and standard so you can make informed decisions about your organization’s asset disposition process. Read on to find out more about the NAID AAA certification.
- Part One: R2 Responsible Recycling
- Part Two: e-Stewards
- Part Three: ISO 9001, 14001, 27001 & 45001
- Part Four: NAID AAA
- Part Five: NIST 800-88
What is the NAID AAA Certification and Why Does it Matter?
The NAID AAA Certification is a voluntary certification that verifies that companies are securely destroying data and complying with all known data protection laws. It promotes best practices for data destruction and requires organizations to have written policies and procedures in place to ensure incident response preparedness, employee training, and regulatory compliance.
The NAID AAA certification program also verifies an organization’s compliance with all applicable data protection regulations. Consequently, this certification is especially useful to organizations that are subject to data protection and privacy laws and regulations such as HIPAA, FACTA, and PCI. Organizations that violate these laws and regulations could be subject to lawsuits as well as financial penalties and corrective action plans.
NAID AAA certification qualifies as the service provider risk assessment required under the HIPAA Security Rule and as the vendor selection due diligence under other data protection regulations. Using a vendor certified in NAID AAA helps you fulfill your legal responsibility with respect to choosing a data destruction vendor under these regulations.
How Was NAID AAA Developed?
The NAID AAA Certification Program was developed by the National Association for Information Destruction (NAID), an international non-profit organization that advocates for best practices in secure data destruction and promotes a standard of best practices. NAID was formed in 1994 by industry professionals seeking to prevent misinformation and disreputable data destruction services.
Since the NAID AAA Certification Program’s inception in 1999, more than 1,000 operations on five continents have been certified by NAID. NAID AAA Certification is required by many governmental entities and private contracts, and recognized by many more. For example, amended IRS Publication 1075 (2016) specifically recognizes the value of NAID AAA Certification.
NAID’s Certification Review Board (Board) is the governing board of NAID AAA Certification. Along with the Certification Rules Committee, the Board oversees the program’s integrity. The Board also approves and denies certification and can assess points or fines to NAID members for discrepancies revealed through audits.
How Does an Organization Obtain NAID AAA Certification?
To obtain certification, an organization must meet all required policy, procedure, and operational specifications required by NAID. An organization also must become an active member of NAID as a prerequisite to certification and submit a certification application.
The certification process involves scheduled and surprise audits by trained, accredited security professionals. All NAID auditors have earned the Certified Protection Professional accreditation from ASIS International, the world’s largest membership organization for security management professionals, and are extensively trained on all certification audit procedures and requirements. The certification process also involves an extensive background screening process to verify that individuals with a known history of related crimes are not handling confidential material.
The auditors verify that protocols are in place to ensure the security of confidential material throughout all stages of the destruction process, including handling, transporting, storing, and transfer of custody of equipment prior to destruction. The auditors then report their findings back to NAID. If the auditing process is successfully completed, the audit will be forwarded to the Board for final approval.
After final approval, NAID will issue certification to the organization. Compliance with certification is monitored through a regimented, comprehensive, unannounced audit program.
The NAID certification process typically takes 4-8 weeks.
Choosing an NAID AAA Certified Provider
Choosing an ITAD provider is fraught with risk. Dispoteca helps minimize that risk by ensuring that your equipment only goes to resellers or recyclers with your preferred certifications. Dispoteca’s unique credentialing program tracks certifications and verifies that they are valid and current. If you are a business or organization that has ITAD needs, contact Dispoteca to get started on your ITAD project today.