Why is it important to decommission systems in a secure way?

In October 2020, the Office of the Comptroller of the Currency (OCC), part of the US Department of the Treasury, levied a $60 million penalty against finance giant Morgan Stanley for failing to properly decommission two wealth management data centers in 2016. According to a report by Finextra, it was also penalized for not doing its due diligence in selecting a vendor to carry out the decommissioning work, failing to monitor the vendor's performance, and failing to maintain an appropriate inventory of customer data stored on the decommissioned hardware.

This was a hefty fine, and it revealed the layers of action that must be planned and thoroughly carried out when it comes time to decommission data storage systems. It’s not just about the activity, it is also about due diligence, oversight, and proof.

Since every organization in every business uses and stores data, and the media upon which data is stored needs to be replaced, securely removing the storage systems must be carefully executed. Data that appears to have been “deleted” is often still recoverable, and in many cases, people make mistakes, such as forgetting a second backup exists somewhere else, or forgetting to verify that a destruction has been successfully and completely deployed. Human errors like this are referred to as unintentional insider threats, since they lead to the potential of data theft, litigation, and penalties.

Steps you should consider when decommissioning

It is vital to follow a clear plan to ensure all steps are taken. This is because words used have similar meaning to the untrained eye, and assuming that “sanitizing” and “disposing” for example, are the same thing leads to errors. According to Robert Sheldon and Andy Patrizio, the steps are:

  1. Evaluate when to retire the storage media: according to expected lifespan, warranty expiration, or when patches and updates are no longer available.
  2. Plan how to retire and dispose of the storage media: including listing tasks and assigning people to them, adhering to verification standards, confirming which assets have been destroyed, talking to any vendors/subcontractors involved, and obtaining references from their past clients.
  3. Prepare the storage media for retirement: this includes preparing, making, and reviewing replacement backups according to GRC policies, building a configuration management database (CMDB), mapping dependencies in the data center, listing what was stored on the device prior to destruction, and canceling vendor maintenance contracts related to the media.
  4. Decommission the storage media: take the media offline, turn it off, in preparation for destruction, but leaving it intact to ensure its absence doesn’t cause/reveal a compromise elsewhere.
  5. Protect the storage media: place it in a secure, locked location to make sure it is inaccessible to unauthorized personnel.
  6. Sanitize the storage media: this is the process of irreversibly destroying all data on a storage device such as magnetic disks, flash memory devices, CDs, and DVDs. Refer to guidance from organizations such as NIST (National Institute of Standards and Technology). Ensure only authorized personnel have access to the media.
  7. Dispose of the storage media: this may mean the removal of the media, selling it, or returning it to the vendor. This can only happen after proof of complete data destruction is provided and audited. Environmental and recycling issues may be considered here.

Physical destruction is generally considered the most secure and permanent type of data destruction, but this must be done to a provable level, as even a small piece of a disk may contain data. Typical techniques include grinding, shredding, incineration, applying corrosive chemicals, or applying extremely high voltage.

Data stored off-site, such as in cloud backup storage, means a cloud vendor must destroy the data and must provide proof of successful and complete destruction. Cloud volumes are mobile and may be moved and backed up by the cloud vendor. It is imperative that the contract with a cloud vendor include clear policies around destruction and verification, since from a liability standpoint the data owner – not the cloud service provider – remains liable in case of a breach. Many companies are using or considering encryption of their cloud-based data as added security.

The role of a CGRC certified cybersecurity professional

Often, the technicians who oversee data management may miss critical components of a decommissioning operation, either through lack of experience, or simply that more pressing tasks are on the front burner. The CGRC certified cybersecurity professional has the project management expertise, the ability to communicate, delegate, and provide a degree of oversight that is still connected to the culture of the IT community. It is this type of understanding – operating between IT professionals, management, and vendors – that allows critical projects such as the decommissioning of data storage devices, and the secure management of the stored data to be handled efficiently and securely.

How the CGRC certification can help you succeed

The CGRC Certification delivers a skillset that is central to any organization’s future, since it blends skills such as communication and strategy with a strong knowledge of software engineering.

Get the Guide