Skip to main content

CompTIA A+

Outsourcing and Disposal

10 min read

For CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.9, you need to understand two practical areas that show up in real support work: outsourcing concepts and environmental and regulatory requirements. Outsourcing concepts describe how an organization uses an outside company (a third-party vendor) to perform IT services, along with the controls that keep data and systems safe. Environmental and regulatory requirements explain why you can't treat old devices like regular trash, because many parts count as e-waste and can carry sensitive data. By the end of this article, you'll know how to judge a vendor before you sign, which paperwork matters (especially a certificate of destruction or recycling), and how to handle disposal tasks in a safe, policy-driven way that reduces risk and supports exam-ready thinking.

Outsourcing basics you need for 220-1202 Objective 2.9

Outsourcing means a business hires an outside company to do work that staff could do in-house. In IT support, this often happens because the work needs special tools, 24/7 coverage, or predictable costs. In practice, outsourcing can look ordinary. A help desk tech might open a ticket, collect device details, then hand off the fix to a vendor.

Common examples match what you may see on the exam and on the job. A company may sign a printer repair contract so a technician can replace rollers and fusers on-site. Another team may pay for managed IT support, where a provider monitors endpoints, pushes patches, and responds to incidents. Many orgs also use a cloud backup provider to store encrypted copies of critical data off-site.

CompTIA's angle is simple: when someone outside your org touches systems or data, you must manage risk. That means you should recognize key terms, know what can go wrong, and remember what to verify before access starts. Outsourcing does not remove accountability. Your organization still owns the outcome, including downtime, privacy exposure, and audit findings.

Third-party vendors and what to check before you sign

A third-party vendor is any external company that provides a product or service to your organization. Because vendors often need network access or handle devices with data, you should treat onboarding as a security event, not just a purchasing step.

Start with the scope. The agreement should state what the vendor will do, what they won't do, and which systems are in-bounds. Next, confirm the service level agreement (SLA). Response times, restore targets, and escalation paths should be clear, especially for user-facing outages.

Support hours matter as well. If your staff works weekends, a weekday-only vendor can create slow recoveries and user frustration. After that, focus on access controls. Use least privilege, which means the vendor gets only the access needed for the task. Require MFA for any remote access, and insist on logging so your team can review actions later.

Finally, verify trust and handling practices. Background checks may apply if the vendor works on-site or handles sensitive records. Data rules should cover where data can be stored, how long it is retained, and how it is deleted after the contract ends.

Common outsourcing risks and how to reduce them

Outsourcing can fail in predictable ways, which is why it tests well on exams. First, data exposure can happen when a vendor gains broad access or stores copies outside approved systems. Second, weak change control can break production systems, such as when a vendor patches a server without a maintenance window. Third, unclear ownership creates delays, because nobody knows who approves changes or who pays for extras. Poor documentation also hurts, since your team may not know what the vendor changed. Surprise costs often appear when contracts omit "out-of-scope" language.

Mitigations are straightforward and easy to remember. Put key controls in writing, including scope, SLAs, and the approval process. Require backups and a rollback plan before major changes. Keep an updated asset list with serial numbers and assigned users. Document handoffs, including passwords placed in an approved vault, not in email.

If a vendor asks for admin rights "just for speed," pause and start with least privilege, MFA, and a clear ticket that states the exact task.

Consider a short scenario. A backup vendor says they need domain admin access to install an agent. Your first step should be to validate the request and reduce it. Ask what permissions the agent truly needs, then use a dedicated account with the minimum rights, MFA, and logging. If policy requires it, get written approval before you grant access.

Certification of destruction and recycling, what proof looks like

When hardware leaves your building, it can take data with it. Even "dead" devices often contain recoverable information, especially storage media and devices with built-in memory. For Objective 2.9, the exam expects you to connect outsourcing with disposal paperwork.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account