A policy governing the appropriate conditions for returning business assets and procedures for validating their return SHALL be implemented.

Technological assets are a core driver of today’s business environments, and business owners must take precautions to ensure that their employees return company-issued devices in a timely and appropriate fashion. A Return of Assets Policy outlines these expectations. The policy may apply to both transfer and termination scenarios, although you may want to fine-tune the specific requirements for each.   

The policy will not eliminate personnel-related security risks outright, but it will act as a potential deterrent or reminder. An employee may leave your business on a bad note and delay returning their company-owned laptop out of spite. Or an employee may simply forget to return their laptop charger and company flash drives while in the process of a promotion to a new department. Creating and enforcing a comprehensive Return of Assets Policy can help lower the risk of occurrence for such events. 

This policy should be concise and define expected procedures clearly. After publication, it should be issued to all employees and new hires. At a minimum, the Return of Assets Policy should address the following points:

  • What is an Asset? The policy should list all assets that the policy applies to. These are all pieces of technical infrastructure owned by your organization and provided to employees for work-related purposes. Desktops, laptops, company mobile phones, desk phones, docking stations, keyboards and mice, cables, monitors, and removable storage devices are common company-provided technologies that qualify as physical assets. Logical assets include software licenses, data, including files and databases, and access to company software platforms. Oftentimes, logical assets do not need to be traditionally “returned”; instead, their access can be revoked through typical offboarding procedures. Other assets include paper documents and keys for accessing facilities.
  • Expectations for the condition of assets upon return. You do not want company property returned with dirt and debris covering it. Therefore, your policy should define the expectations for the condition of physical technologies upon return. The policy should also clearly state the consequences of returning assets in poor condition, usually involving a financial penalty.
  • Clearly state the Pretexts for the return of assets. The most common reasoning is termination or departure from employment. However, many organizations require employees to switch to all-new devices as part of a role transition. Make sure the documentation clearly outlines the different possible reasons an asset return may be requested. 
  • Drop-off Procedure. This includes the location to drop off the assets, to whom the return needs to be confirmed with, any forms that should be completed, and a checklist for the receiving party to follow for confirmation of the return.
  • Deadline for Return. The policy should define the grace period for employees to return the assets, usually in days or weeks.
  • Consequences for Late Return. Building off the previous point, make sure to outline the potential consequences of not returning assets. There should be multiple consequences arranged in a hierarchy. This could start with escalating financial penalties for late returns, to law enforcement involvement for refusal of return.
  • Roles & Procedures for Confirming and Validating Returns. This section should apply to the parties within your business that will handle the return of assets. These should be arranged as a checklist with the necessary roles noted. A typical arrangement would be the retrieval and confirmation of the return by a secretary, the inspection of the physical and digital condition of the assets by an IT director, and then the confirmation of the asset return and the asset details by a database administrator or other such role.