Back

Disassemble and shut down unnecessary systems or unused systems.


CONTROL ID
06280
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is also necessary to make sure that the system has completely ceased operations prior to the start of disposal. (P82.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The other relevant controls include service level management, vendor management, capacity management and configuration management which are described in later chapters. Decommissioning and destruction controls need to be used to ensure that information security is not compromised as IT assets reach … (Critical components of information security 6) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
  • support decision-making about purchase, re-use, retirement, and disposal of assets (5.2.6 ¶ 1 Bullet 4, ITIL Foundation, 4 Edition)
  • The legacy system may be suspended, discontinued, or turned off absent adequate validation evidence or retrospective qualification evidence. (¶ 16.7, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should configure systems to prevent data from being written to portable drives and tokens, if there is no business need. (Critical Control 17.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization shall deactivate the system before removing it from operations. (§ 6.4.11.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall disassemble the system to facilitate its removal. (§ 6.4.11.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Closure of System: The information system is formally shut down and disassembled at this point. (§ 3.5.3.5, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • Hardware is maintained, replaced, and removed commensurate with risk (PR.PS-03, The NIST Cybersecurity Framework, v2.0)