Best Practices in Designing a Data Decommissioning Policy

Written by

Managing a data decommissioning policy is a systematic approach to managing the series of steps through which IT assets must go at end-of-life. These policies are important, as records allow companies to prove that they are compliant to auditors as well as keep their clients’ privacy a top priority. Not only do decommissioning policies improve consistency and productivity throughout the company, but with the explosion of cloud-based data, it has become imperative to adopt such methodology.

Step One: Planning

IT management within the company must start with collecting detailed information from servers, client PCs, printers, switches, routers and other peripherals. The IT asset inventory will include the device name, IP address, vendor name, model of the device, tprocessor, memory and storage information. Detailed inventory documentation is essential to replace and replicate the resources necessary to meet workload requirements.

At this point in the planning process, it is important to assign a project manager who has expertise in communicating with major decision makers as well as stakeholders. If the in-house team lacks extensive experience with decommissioning data or data centers, it is advised to assign an external expert for this role. Creating a budget is crucial when planning a decommissioning policy. A secure chain of custody is crucial with an auditor present to provide end-to-end visibility documentation of what was done, when and by whom in the process of IT asset dispositioning. Every safety procedure and various stage of removal or destruction should be outlined extensively knowing exactly who is responsible for what and at what time. Be sure to conduct any background checks on any third-party project managers, auditors or ITAD personnel so no data ends up compromised through theft or carelessness.

Step Two: Decommissioning

After planning and procedures are established, it is time to start the actual process of decommissioning. To start, create a comprehensive backup of all of your data – be fastidious when backing up data! After, disconnect the equipment from the network. Remove all firewalls, subnets and cut power to all equipment in the decommissioning process. Don’t forget to identify and retain all software licenses associated with the server. If third-party vendors handle your end-of-life IT assets, it is important that you require them to document every single step of the decommissioning process, and by whom, to ensure your data has been accounted for and that you have an auditable paper trail in case of a breach. While most ITAD vendors are reputable, it only takes one person to wreak havoc. There have been instances of ITAD vendors being hired to destroy drives and not doing so, instead selling the drives on eBay where they were found to still hold sensitive data. If decommissioning is handled in-house, it is still important to document all processes and assets; however, the unique risks associated with third-party ITAD vendors are largely mitigated.

Step Three: Disposition

Once your data has been completely decommissioned, it is time for disposition. Physically remove hard disk drives (HDDs) from storage and storage area networks (SANs) and either repurpose them or, for the highest security, physically destroy them. An ITAD or recycling company can be utilized for the physical destruction of any decommissioned servers. Alternatively, and most securely and cost-effectively, you can dispose of them in-house with data destruction devices. In-house data destruction exponentially reduces a drive’s chain of custody and allows you to recycle the drive parts. Drives contain precious metals and steel, making them valuable to recycling houses. Be sure to log any necessary information for auditing purposes, including the drive’s unique barcode, certificate of erasure or destruction and destruction method used.

Decommissioning data and servers doesn’t have to be a long, complex process. While these steps do not detail every contingency your company or data center might encounter (as each one is unique), having a basic guide like this is an excellent start, as it can be used as the backbone of your decommissioning policy. Regulations world-wide are both increasing and becoming more rigorous, frequently assessing large fines for non-compliance. Where we stand globally, the impact of a data breach on an organization averages out to around $3.9m, according to IBM’s Cost of a Data Breach study as of 2019. In fact, the average cost of a data breach has increased by 12% in the last five years. By ensuring a proper decommissioning plan and knowing each point of contact who handles your IT assets, you can minimize your organization’s chances of falling victim to the next breach.

Brought to you by

What’s hot on Infosecurity Magazine?