Systems redeployment or disposal

The organization will develop, disseminate, and review: 1) a formal systems redeployment or disposal policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00901]

Supporting and supported controls

This control directly supports:

• Operational management [UCF Common Control ID 00805]

This control has the following supporting controls:

• Prior to disposal or redeployment, all data storage media will be wiped clean. [UCF Common Control ID 01643]
• Maintain disposal or redeployment records [UCF Common Control ID 01644]

Authority documents complied with:

Australian Government ICT Security Manual (ACSI 33) § 3.4.26, 3.4.33, 3.4.45, 3.4.46, 3.4.51; FFIEC IT Examination Handbook – Information Security Exam Tier II Obj C.14, Exam Tier II Obj D.5; FFIEC IT Examination Handbook – Development and Acquisition Pg 32-33, Pg 56-57; FFIEC IT Examination Handbook – Operations Pg 27; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-007-1 R7; US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11 § 6.b, § 6.b(5); The Standard of Good Practice for Information Security CI3.1.3, CI3.1.6; ISO 17799:2000, Code of Practice for Information Security Management § 8.6.2; ISO 17799:2005 Code of Practice for Information Security Management § 9.2.6; ISO/IEC 27002-2005 Code of practice for information security management § 9.2.6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.4.6; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 Table 8-6 Item 57; Guidelines for Media Sanitization, NIST Special Publication 800-88 § 4.7; ISO 15489-1, Information and Documentation: Records management: General § 9.9; PCAOB Auditing Standard No. 2 Implied; AICPA/CICA Privacy Framework § 5.2.2; Controls and Procedures, SEC 17 CFR 240.15d-15 Implied; IRS Internal Revenue Code Section 501(c)(3) § 6.3.4, Exhibit 3(F); IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information Q1 09; California Information Practice Act, CA SB 1386 § 1.9; State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal § 4.2

Sarbanes Oxley Guidance

§ 5.2.2 of AICPA/CICA Privacy Framework states that the organization should dispose of all personal information in a manner that will prevent loss, misuse, or unauthorized access.

Banking and Finance Guidance

The FFIEC IT Examination Handbook – Development and Acquisition Pg 32-33, Pg 56-57 states that surplus and/or obsolete software, hardware, and data should be disposed of in an orderly manner.

Energy Guidance

The North American Electric Reliability Corporation's, CIP-007-1 R7 states that the Responsible Entity shall establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005.

§ 6.b, § 6.b(5) of US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11 states that the purging, clearing, and destruction of Type I Magnetic Tape, Type II Magnetic Tape, Type III Magnetic Tape, Floppies, Zip Drives, Bernoulli Boxes, Removable Hard Disks, Non-Removable Hard Disks, Magneto-optical: Read Only Optical Disk, Write Once Read Many (WORM) Optical Disk, Read Many Write Many Optical Disk, Flopticals, Helical-scan tapes, Cartridges, Optical, CD-R, CD-RW, CD-ROM, DVD, Magnetic Bubble Memory, Magnetic Core Memory, Magnetic Plated Wire, Magnetic-Resistive Memory, Read-Only Memory (ROM), Random Access Memory (RAM) (Volatile), Programmable ROM (PROM), Erasable PROM (UV PROM), Electrically Alterable PROM (EAPROM), Electrically Erasable PROM (EEPROM), Flash Erasable PROM (FEPROM), Printer Ribbons, Platens, Toner Cartridges, Laser Drums, Fax Machines, Cathode-Ray Tubes (if there is classified burn-in), Cell Phones, Personal Digital Assistants (PDAs), Routers, and Copy Machines should meet the minimum requirements listed in Table 1 (storage media), Table 2 (electronic memory devices), and Table 3 (hardware) of this document. Classified storage media that will be reused in an unclassified environment should be identified in the System Security Plan; should be tracked until it is purged or destroyed; should be overwritten in its entirety using a three-pass process, and the overwriting software should produce a report of any bad sectors that cannot be overwritten; should be destroyed if classified information located in bad sectors cannot be purged; should maintain disposal records; and an authorized individual should verify that all classified information on the media has been completely overwritten. Non-removable storage media that had contained classified information and was purged with the three-pass process may still be used in its current system in the following instances: if the unclassified storage media can only hold less than 20MB of information and less than 0.001 percent of the media's capacity is classified information; if the classified storage media contains less than 0.1 percent of the non-removable capacity from a more restrictive classification; or the unclassified storage media has a low confidentiality impact and contains less than 0.1 percent of the non-removable capacity with a higher confidentiality impact. Partially contaminated storage media should be purged: the software should overwrite all contaminated areas, including free space, directories, and temporary data file locations; the software should confirm successful completion; the software should confirm the overwriting of specified areas; the software should provide information about bad sectors that cannot be overwritten; quality control should be used to verify that all contaminated information has been overwritten; any media that cannot be purged or data that is located in bad sectors and cannot be purged should be destroyed; and disposal records should be maintained.

US Federal Security Guidance

NIST 800-53 and DoD 5015.2 Criteria call for the destruction of media and records, respectively. Both address the issue of removing residual data. While NIST provides controls for organizations to implement, DoD, as always, includes these procedures as automated controls performed by records management systems.

US Internal Revenue Service Guidance

§ 6.3.4, Exhibit 3(F) of IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information states that federal Tax Information should be destroyed or returned to the IRS or the SSA after its use.

NIST Guidance

NIST 800-53 calls for the destruction of media and records, respectively. Both address the issue of removing residual data.

Table 8-6 Item 57 of Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 states that when a WLAN component is disposed of, the organization should ensure all sensitive configuration information has been removed, including pre-shared keys and passwords. When feasible, the organization should use a degaussing device.

§ 4.7 of Guidelines for Media Sanitization, NIST Special Publication 800-88 states that the organization should test the sanitization methods being used to ensure the proper protection is being maintained.

US State Law Guidance

§ 4.2 of State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal states that data sanitization should be performed on all storage media before redeploying or disposing of any assets. The method of data sanitization should be either degaussing, overwriting using a minimum of three overwrites, or destroying the media by shredding, incinerating, pulverizing, melting, or disintegrating.

General security checklist guidance

2.2 (WIR2170) of DISA Wireless STIG Windows Mobile Messaging Checklist Version 5,Release 2.3 states that new and reissued wireless email devices should have a "Device HARD Reset" performed by the wireless email system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put onto the wireless email network.

2.2 (WIR1170) of DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.1 states that new and reissued wireless email devices should have a "Device HARD Reset" performed by the wireless email system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put onto the wireless email network.

2.2 (WIR1170) of DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.1 states that new and reissued wireless email devices should have a "Device HARD Reset" performed by the wireless email system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put onto the wireless email network.

International Standards Organization Guidance

ISO 15489-1 and 15489-2 detail the disposition process extensively as summarized above, although only with respect to records.

The ISO/IEC 27002-2005 Code of practice for information security management § 9.2.6 states that prior to disposing equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable.

The ISO 17799:2005 Code of Practice for Information Security Management § 9.2.6 states that prior to disposing equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable.

Asia and Pacific Rim Guidance

The Australian Government ICT Security Manual (ACSI 33) § 3.4.26, 3.4.33, 3.4.45, 3.4.46, 3.4.51 states that hardware or media containing classified material should be sanitized or destroyed before being disposed. The following types of material cannot be sanitized and must be destroyed if they contain classified information: microfiche, microfilm, optical disks, printer ribbons, Programmable Read-Only Memory, and Read-Only Memory. To physically destroy media, it should be broken up or heated until it has been burnt to ash or melted..