READER QUESTION #1
Our credit union is to go through a merger in the late third quarter. We're midsized, but are not the surviving operation. What kinds of equipment can we sell, what, if anything do we need to do, and what are the risks?
Rick Fleming, Digital Defense, San Antonio
The risk in selling, returning or disposing of computer systems is that, if not done correctly, you could compromise sensitive credit union or member information. Extreme care should be exercised when selling, removing or returning any electronic equipment that may have stored, processed, or handled sensitive credit union or member information.
This includes all computer equipment hard drives, magnetic media and storage devices, but could also include fax machines or copiers if they have hard drives for session storage or printer queuing capabilities. All magnetic media should either be removed and stored or destroyed before shipping or returning the equipment or properly overwritten with an approved media overwrite tool. Seven passes of random data is usually sufficient to ensure that all information is protected. Devices should also be double checked for CD-ROMs and floppies left in drives. CD-ROMs that are no longer needed should be destroyed by either shredding or marring the recording surface of the disk. Simply breaking the CD in half may not be sufficient to protect the information should a thief be able to access both halves.
Remember, your responsibility to protect member data doesn't end if you ship the system off for repair, replacement, donation or destruction. Until you know the information has been removed or destroyed, you have to protect that system like you would your core processing system.
John Edwards, president, XP Systems, Moorpark, Calif.
The good news is that most any sort of usable computer equipment has some resale value, to someone, somewhere. You might start with an Internet search for the specific equipment you wish to part with to get an idea of the market. Often you can locate refurbished equipment dealers in your area that have an interest. When you contact these vendors, initially ask what this equipment would cost if you were to buy from them. Then have the conversation that you are actually interested in selling. You'll work your best deal that way.
Before selling any computer equipment, ensure all disk drives are securely wiped to avoid data theft. Smart thieves have been able to retrieve data from disks that were supposedly wiped clean using commercially available disk "erase" software. Even if you trust the vendor you sell your equipment to, you have no control over where the equipment goes from there.
David McConney, EVP/General Manager, Credit Union Core Systems, Harland Financial Solutions, Pleasanton, Calif.
You should have a project committee in place that includes IT staff and end users from both organizations who will work with the surviving institution's core system and other technology partners. You will want to analyze all hardware and ancillary software to determine which will be retained going forward after the merger. In most cases, for ease of ongoing support, it will be preferable to standardize as much as possible in terms of workstations (hardware and OS), servers, printers, routers, check signers, signature pads, document scanners, phone systems, etc. You will also want to retain/acquire the most current generation of equipment that the merger budget can accommodate. Any equipment not needed post merger should be saleable as long as it is newer technology. Seek local vendors for assistance on reselling and donate older equipment to local charities or schools. Caution: if you decide to donate a PC make sure you clean the disk thoroughly to comply with your credit unions GLB requirements. In any case, do not plan to sell any equipment for at least 90 days post-merger so that you have some back-up in place in the event some of the surviving systems fail or become inoperable. In addition, it is imperative that all new and retained equipment be fully tested and retested with scenarios that are as similar as possible to the post-merger production environment. Develop a specific and detailed plan to merge your MCIF, databases, records, etc. into the new core system. Execute the plan with the highest of priority. Lack of a good project plan, inability to stay on schedule and lack of training and testing will present the greatest risks to the success of the endeavor. Lastly, communicate to members and employees about all the wonderful benefits they will receive as a result of the merger. Everyone should have patience with any challenges you may encounter as long as they are informed, thereby mitigating risk of employee dissatisfaction and/or member attrition.