Back

Establish, implement, and maintain a system disposal program.


CONTROL ID
14431
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain disposal procedures., CC ID: 16513
  • Establish, implement, and maintain asset sanitization procedures., CC ID: 16511
  • Destroy systems in accordance with the system disposal program., CC ID: 16457
  • Approve the release of systems and waste material into the public domain., CC ID: 16461
  • Establish, implement, and maintain system destruction procedures., CC ID: 16474
  • Establish, implement, and maintain printer and multifunction device disposition procedures., CC ID: 15216


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Products that infringe on intellectual property rights shall be destroyed in accordance with the environmental laws and regulations. (Art 32, Anti-Counterfeiting Trade Agreement)
  • It is necessary to formulate a disposal plan for the system, clarify the disposal procedure, and discard it with approval from the person in charge of operation and the user's department. (P82.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When disposing of a computer system, it is necessary to take measures for protecting confidentiality and privacy, and for preventing irregularity considering the importance of the system to be discarded. (P83.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The other relevant controls include service level management, vendor management, capacity management and configuration management which are described in later chapters. Decommissioning and destruction controls need to be used to ensure that information security is not compromised as IT assets reach … (Critical components of information security 6) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented. (Security Control: 1550; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Maintaining information assets therefore necessitates a disciplined approach to information asset life-cycle management, including a comprehensive understanding of assets that support the business, as well as the potential impacts of an information security compromise of these assets. Maintenance of… (41., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Hardware or media containing classified material should be sanitized or destroyed before being disposed. The following types of material cannot be sanitized and must be destroyed if they contain classified information: microfiche, microfilm, optical disks, printer ribbons, Programmable Read-Only Mem… (§ 3.4.26, § 3.4.33, § 3.4.45, § 3.4.46, § 3.4.51, Australian Government ICT Security Manual (ACSI 33))
  • An item must be disposed of after it has been verified as being counterfeit. (§ 4(4), Individual Member Anti-Counterfeit Policy)
  • Management must dispose of the counterfeit product as directed by ASCDI standards, law enforcement standards, or industry standards. (§ 6(4), Individual Member Anti-Counterfeit Policy)
  • The organization should have procedures that define the responsibility and authority for disposing of nonconforming products. (App F § F.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Policies and procedures shall be established, and supporting business processes implemented, for the use and secure disposal of equipment maintained and used outside the organization's premise. (DCS-05, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure disposal of equipment used outside the organization's premises. If the equipment is not physically destroyed a data destruction procedure that renders recovery of information impossible mus… (DCS-01, Cloud Controls Matrix, v4.0)
  • The organization shall define system disposal procedures. (§ 6.4.11.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The cloud service customer should request confirmation that the cloud service provider has the policies and procedures for secure disposal or reuse of resources. (§ 11.2.7 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Implement a system disposal strategy and execute required actions when a system is removed from operation. (Task M-7, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Assets are formally managed throughout removal, transfers, and disposition. (PR.DS-3, CRI Profile, v1.2)
  • The organization should dispose of all personal information in a manner that will prevent loss, misuse, or unauthorized access. (ID 5.2.2, AICPA/CICA Privacy Framework)
  • The destruction of media and records address the issue of removing residual data. While NIST provides controls for organizations to implement, DoD, as always, includes these procedures as automated controls performed by records management systems. (§ C2.2.6.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Technical Surveillance Countermeasure equipment that is obsolete and identified for disposal shall be demilitarized if it reveals or tends to reveal countermeasure limitations or capabilities. (§ 5.9.2, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Policies and procedures shall be implemented for the final disposition of electronic protected health information and/or the media or hardware it is stored on. (§ 164.310(d)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Assess whether each IT asset is captured in the entity's ITAM inventory, tracked throughout its operational life, and prepared for physical removal at the end of its useful life. Determine whether management implemented policies, standards, and procedures to identify assets and their EOL time frames… (App A Objective 4:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Plans for obsolescence, EOL, and decommissioning of systems. (App A Objective 12:4f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementation of appropriate procedures for the disposal of equipment (e.g., printers). (App A Objective 15:8d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management implements policies, standards, and procedures to address media and equipment disposal or transfer. Evaluate whether management addresses the following: (App A Objective 15:8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Performance of periodic reviews to ensure the timely disposal of decommissioned equipment. (App A Objective 15:8e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Incorporates EOL considerations in strategic planning. (App A Objective 4:4g Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Reviews EOL time frames for existing assets to determine accuracy and relevance. (App A Objective 4:4d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Development of appropriate design objectives, including changes, EOL, and identification of shadow IT. (IV Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Adhering to an approved end-of-life or sunset policy for older systems. (App A Objective 6.16.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management plans for the life cycles of the institution's systems, eventual end of life, and any corresponding business impacts. Review whether the institution's life cycle management includes the following: (App A Objective 6.16, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Tracking changes made to the systems and applications, availability of updates, and the planned end of support by the vendor. (App A Objective 6.16.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Surplus and/or obsolete software, hardware, and data should be disposed of in an orderly manner. (Pg 32, Pg 33, Pg 56, Pg 57, FFIEC IT Examination Handbook - Development and Acquisition)
  • Federal Tax Information should be destroyed or returned to the IRS or the SSA after its use. (§ 6.3.4, Exhibit 3(F), IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • When a WLAN component is disposed of, the organization should ensure all sensitive configuration information has been removed, including pre-shared keys and passwords. When feasible, the organization should use a degaussing device. (Table 8-6 Item 57, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • The organization should test the sanitization methods being used to ensure the proper protection is being maintained. (§ 4.7, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Test a sample of media to ensure it is sanitized appropriately with regard to its classification. The testing should be completed by personnel not involved in the sanitization process. (§ 4.7, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Conduct end-of-operations assessments. (T0611, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Implement a system disposal strategy which executes required actions when a system is removed from service. (T0966, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should implement policies and procedures for adding, removing, and disposing of all Information System equipment. (SG.CM-9 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Implement a system disposal strategy which executes required actions when a system is removed from service. (T0966, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct end-of-operations assessments. (T0611, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Randomly test at least 20% of the media being purged to verify the purging has been successfully completed. The testing should be conducted by personnel who did not conduct the purging. (§ 6.b, § 6.b(5), US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007)
  • Data sanitization should be performed on all storage media before redeploying or disposing of any assets. The method of data sanitization should be either degaussing, overwriting using a minimum of three overwrites, or destroying the media by shredding, incinerating, pulverizing, melting, or disinte… (§ 4.2, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Revision 2.0)