S 2.323 Orderly withdrawal from operation of clients

Initiation responsibility: Head of IT, Information Security Management

Implementation responsibility: Administrator

When withdrawing a client from operation, it must be ensured, above all, that

• No important data that might be stored on the client are lost, and that
• No sensitive data are left behind on the computer's data media

It is therefore especially important to gain an overview of which data are stored at which location on the system.

• Data backup
  
  Prior to withdrawing the computer from operation, locally stored data that are still required must either be backed up or archived externally (e.g. on magnetic tapes, CD-ROMs or DVD-ROMs) or transferred to a backup system. After backup, whether all data have really been backed up correctly should be checked.
  
  In this context, it can be appropriate to provide the users with a suitable drive, e.g. a CD or DVD burner, to back up locally stored data.
  
  Additional information on this subject can be found in modules S 1.4 Data backup policy and S 1.12 Archiving.
• Deleting the system from directory services and databases
  
  Authorisations in the network that are linked to the client computer itself (and not to a user) must be deleted. Examples include entries on proxy servers at the security gateway or access rights to network services assigned based on the IP address. If the client is entered in network-wide directory services or databases (e.g. in a Windows domain, Active Directory, NIS, etc.), the associated entries must be deleted, or the corresponding accounts must at least be deactivated.

• Deleting data on the system
  
  It must be ensured that no information requiring protection remains on the hard disks. It is not enough just to reformat the hard disks in this case, and the disks need to be completely overwritten at least once instead. It must be noted that neither the logical deletion using the operating system's delete functions, nor newly formatting the disks actually remove the data from the hard disks. With the appropriate software, data can be reconstructed again in these cases, often without great effort. Further information can be found in S 2.13 Correct disposal of resources requiring protection and in S 2.167 Selecting suitable methods for deleting or destroying data.
• Erasing data backup media
  
  After withdrawing a system from operation, the corresponding data backup media also need to be erased as soon as the data stored on them is not needed any more.
• Removal of other information
  
  If potentially sensitive data (e.g. certain configuration data) are stored in places other than the computer's hard disk (e.g. in a non-volatile memory), they must also be removed before passing the device on.

It is recommended to create a checklist based on the recommendations provided above that can then be used when withdrawing a system from operation. This helps to prevent individual steps from being forgotten.

Review questions:

• Does a documented procedure for withdrawing clients from operation exist?
• Is it ensured that all data possibly remaining on the client are backed up and subsequently deleted securely from the client?