Back

Dispose of hardware and software at their life cycle end.


CONTROL ID
06278
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Refrain from placing assets being disposed into organizational dumpsters., CC ID: 12200
  • Establish, implement, and maintain disposal contracts., CC ID: 12199
  • Remove asset tags prior to disposal of an asset., CC ID: 12198
  • Document the storage information for all systems that are stored instead of being disposed or redeployed., CC ID: 06936
  • Test for detrimental environmental factors after a system is disposed., CC ID: 06938


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In order to protect production programs against tampering, destruction, and accidental erasure, it is necessary for the program library administrator to implement the registration, deletion, and other processing of programs to/from production according to predetermined procedures with attention paid… (P40.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to establish and maintain proper procedures for the disposing of handheld terminals. (P118.9., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to formulate a disposal plan for the system, clarify the disposal procedure, and discard it with approval from the person in charge of operation and the user's department. (P82.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Televisions and computer monitors that cannot be sanitised are destroyed. (Security Control: 1222; Revision: 1, Australian Government Information Security Manual, March 2021)
  • When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices. (Security Control: 0318; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements. (P1:, Australian Government Information Security Manual, March 2021)
  • that cannot be adequately updated as new security vulnerabilities or threats are identified; and (43(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • where the use of mitigating controls — such as segregation from other information assets — is not an option. (43(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Decommissioning and destruction controls are used to ensure that IT security is not compromised as IT assets reach the end of their useful life. Examples include archiving strategies and the deletion of sensitive information prior to the disposal of IT assets. (¶ 55, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • support decision-making about purchase, re-use, retirement, and disposal of assets (5.2.6 ¶ 1 Bullet 4, ITIL Foundation, 4 Edition)
  • Are there procedures and controls for eliminating software and hardware? (Table Row I.26, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced "end of life" plans. (12.3.4 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Merchants should dispose of old devices in a consistent manner. When guidance is provided by the solution provider, the merchant should follow it. Some items to consider include: - Remove all tags and business identifiers.The intent of this document is to provide security risk-reduction recommendati… (¶ 5.7.1, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced "end of life" plans. (12.3.4 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced "end of life" plans. (12.3.4 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The anti-counterfeit processes shall include the management of parts obsolscence. (§ 4.1.2, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Electronic equipment manufacturers should use an obsolescence management plan to proactively manage the lifecycle of their products. (App A § A.2 ¶ 1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Office equipment shall be supported by documented standards / procedures, which cover decommissioning office equipment in a secure manner. (CF.12.03.01e, The Standard of Good Practice for Information Security)
  • Sensitive information stored on office equipment shall be securely destroyed (e.g., by using deletion software or physically destroying the hard disk drives) before the equipment is decommissioned, sold, or transferred to a external party (e.g., a leasing company or equivalent). (CF.12.03.11, The Standard of Good Practice for Information Security)
  • Office equipment shall be supported by documented standards / procedures, which cover decommissioning office equipment in a secure manner. (CF.12.03.01e, The Standard of Good Practice for Information Security, 2013)
  • Sensitive information stored on office equipment shall be securely destroyed (e.g., by using deletion software or physically destroying the hard disk drives) before the equipment is decommissioned, sold, or transferred to a external party (e.g., a leasing company or equivalent). (CF.12.03.11, The Standard of Good Practice for Information Security, 2013)
  • The organization should securely destroy or erase backup media at the end of its life. (Critical Control 8.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes implemented, for the use and secure disposal of equipment maintained and used outside the organization's premise. (DCS-05, Cloud Controls Matrix, v3.0)
  • Authentication tool obsolescence shall be managed. (§ 4.4.10 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • IT equipment obsolescence shall be managed so backward compatibility and the level of security is guaranteed for a period of time. (§ 4.4.10 ¶ 2, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • The organization shall remove the system. (§ 6.4.11.3(b)(5), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall destroy the system. (§ 6.4.11.3(b)(6), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Implement a system disposal strategy and execute required actions when a system is removed from operation. (Task M-7, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Processes to address IT asset EOL. (III.B Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Establishes procedures for the secure destruction or data wiping of hardware and software. (App A Objective 4:4f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess whether each IT asset is captured in the entity's ITAM inventory, tracked throughout its operational life, and prepared for physical removal at the end of its useful life. Determine whether management implemented policies, standards, and procedures to identify assets and their EOL time frames… (App A Objective 4:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Assets are formally managed throughout removal, transfers, and disposition (PR.DS-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Assets are formally managed throughout removal, transfers, and disposition (PR.DS-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. (T0118, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization disposes of information system components using {organizationally documented techniques and methods}. (SA-19(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization disposes of information system components using [Assignment: organization-defined techniques and methods]. (SA-19(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. (SR-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Dispose of Hardware and Software: Hardware and software can be sold, given away, or discarded as provided by applicable law or regulation. The disposal of software should comply with license or other agreements with the developer and with government regulations. (§ 3.5.3.4, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • The organization disposes of information system components using [Assignment: organization-defined techniques and methods]. (SA-19(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)