Back

Establish, implement, and maintain a system redeployment program.


CONTROL ID
06276
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Test systems for malicious code prior to when the system will be redeployed., CC ID: 06339
  • Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed., CC ID: 06400
  • Wipe all data on systems prior to when the system is redeployed or the system is disposed., CC ID: 06401
  • Transfer legal ownership of assets when the system is redeployed to a third party., CC ID: 06698
  • Document the staff's operating knowledge of the system prior to a personnel status change., CC ID: 06937
  • Redeploy systems to other organizational units, as necessary., CC ID: 11452


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number IV.7(6): Procedures must be developed to prevent misconduct and leakage of confidential information that could occur when hardware is retained, relocated, or disposed. This is a control item that constitutes a relatively small risk to financial information. This is an IT general … (App 2-1 Item Number IV.7(6), App 2-1 Item Number V.6(1), App 2-1 Item Number V.6(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization must develop a system to prevent the fraudulent or erroneous acquisition, use, or disposal of assets. They must develop and implement a system that when anything is acquired, used, or disposed of that has not undergone the proper procedures or approvals is immediately identified and… (Practice Standard § I.1(4) ¶ 3, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O25.3(1): The organization shall designate an individual in charge and develop methods to transfer, remove, and destroy data files. O25.3(1).2: The organization shall develop restrictions and methods for removing data files for when the files will be taken outside the organization. O57.3: To prevent… (O25.3(1), O25.3(1).2, O57.3, O74, O74.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Taking decisions on any new applications to be acquired / developed or any old applications to be discarded (Critical components of information security 11) c.2. Bullet 6, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should actively manage its IT systems and software so that outdated and unsupported systems which significantly increase its exposure to security risks are replaced on a timely basis. The FI should pay close attention to the product’s end-of-support (“EOS”) date as it is common for vend… (§ 9.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should avoid using outdated and unsupported hardware or software, which could increase its exposure to security and stability risks. The FI should closely monitor the hardware's or software's end-of-support (EOS) dates as service providers would typically cease the provision of patches, inclu… (§ 7.3.1, Technology Risk Management Guidelines, January 2021)
  • sanitise and reset devices, including all media used with them (Security Control: 1300; Revision: 4; Bullet 1, Australian Government Information Security Manual, March 2021)
  • a process and solutions to prevent the unauthorised or unintended disclosure of confidential data, when replacing, archiving, discarding or destroying ICT systems; (Title 3 3.3.4(c) 56.h, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The organization must notify the DSO or MOD DE&S DHSY/PSYA at the earliest possible time any intention to transfer protectively marked work from one List X site to another one or to close a List X contractor's organization. This is required to make proper arrangements to dispose of the assets and to… (¶ 17, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • support decision-making about purchase, re-use, retirement, and disposal of assets (5.2.6 ¶ 1 Bullet 4, ITIL Foundation, 4 Edition)
  • Critical infrastructure security controls should include methods of decommissioning aging / costly Information Systems and replacing them with up-to-date and cost effective technology. (CF.08.03.07e, The Standard of Good Practice for Information Security)
  • Critical infrastructure security controls should include methods of decommissioning aging / costly Information Systems and replacing them with up-to-date and cost effective technology. (CF.08.03.07e, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures governing asset management shall be established for secure repurposing of equipment and resources prior to tenant assignment or jurisdictional transport. (FS-07, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The organization shall establish and maintain project plans for decommissioning a medical Information Technology network or medical device. (§ 4.5.2.3 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • (§ 9.9, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Prior to disposing equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable. (§ 9.2.6, ISO 27002 Code of practice for information security management, 2005)
  • The cloud service provider should ensure that arrangements are made for the secure disposal or reuse of resources (e.g., equipment, data storage, files, memory) in a timely manner. (§ 11.2.7 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Assets are formally managed throughout removal, transfers, and disposition. (PR.DS-3, CRI Profile, v1.2)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • CSR 1.3.4: The organization must remove all sensitive information from files before it releases these files to a contractor or individual who is not authorized to access sensitive information. The sanitization process shall include removing all labels, markings, data, and activity logs. The organiza… (CSR 1.3.4, CSR 1.3.7, CSR 5.9.14, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • New and reissued wireless e-mail devices should have a "Device HARD Reset" performed by the wireless e-mail system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put onto the wireless… (§ 2.2 (WIR1170), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • New and reissued wireless e-mail devices should have a "Device HARD Reset" performed by the wireless e-mail system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put onto the wireless… (§ 2.2 (WIR3170), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • New and reissued wireless e-mail devices should have a "Device HARD Reset" performed by the wireless e-mail system administrator, have all system software reinstalled from a trusted source, and have the site security policy pushed to the device before being issued to a user and put onto the wireless… (§ 2.2 (WIR2170), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Planning for the update or replacement of systems nearing obsolescence. (App A Objective 6.16.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), FedRAMP Security Controls High Baseline, Version 5)
  • Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Assets are formally managed throughout removal, transfers, and disposition. (PR.DS-3, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • (§ 3.4.6, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1) ¶ 1(b) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should remove the component that is being serviced from the system, sanitize the component before it is removed from the site and after the service is performed, and sanitize the component before it is reconnected to the system. (SG.MA-6 Requirement Enhancements 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. (SI-13(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. (SI-13(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. (SI-13(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Build and Execute a Disposal/Transition Plan: Much like a work plan, this plan identifies necessary steps, decisions, and milestones needed to properly close down, transition, or migrate a system or its information. (§ 3.5.3.1, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • The purging, clearing, and destruction of Type I Magnetic Tape, Type II Magnetic Tape, Type III Magnetic Tape, Floppies, Zip Drives, Bernoulli Boxes, Removable Hard Disks, Non-Removable Hard Disks, Magneto-optical: Read Only Optical Disk, Write Once Read Many (WORM) Optical Disk, Read Many Write Man… (§ 6.b, § 6.b(5), US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007)
  • Establish and implement policies and procedures to ensure data protection measures are in place, including identifying critical data and establishing classification of different types of data, establishing specific handling procedures, and protections and disposal. (Table 2: Data Security & Information Protection Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. (MA-5(1)(b), TX-RAMP Security Controls Baseline Level 2)