S 2.361 Deinstallation of storage systems

Initiation responsibility: Information Security Management, Head of IT

Implementation responsibility: Administrator

If a storage system or individual hard disks in a storage system are not needed any more, then it must be ensured first that all data stored on this system are transferred in a suitable manner to other systems.

Afterwards, it must be ensured that all user data and configuration data is deleted securely.

Exchanging individual data media

If one or more hard disks are defective and need to be replaced for this reason, then it must be ensured that the data cannot be reproduced if the removed hard disks are handled by external entities, for example by the manufacturer. It must be ensured that third parties are not able to obtain the data on these disks even when disks are reported as defective by the storage system.

If high or very high protection requirements were specified for the data, then the manufacturer or dealer must agree to physically destroy the corresponding disks. The manufacturer or supplier must provide the organisation with verification of their destruction.

Deleting hard disks

When intact hard disks that could or should be reused again are replaced, then the data stored on them must be deleted so that their contents cannot be reproduced any more (see also S 2.167 Selecting suitable methods for deleting or destroying data).

For SAN and NAS hard disks in complex storage systems, special deletion programs from the manufacturer are necessary. The deletion can then be performed by the company contracted for maintenance. When performed by a contractor, a contractual agreement containing a corresponding obligation of the service provider to delete the data must be signed. Verification of the deletion must also be provided to the organisation in this case as well.

Dismantling a storage system

If a storage system is to be taken out of operation, then a data migration procedure must be developed first. It must be ensured that all data on the storage system is transferred to other storage systems in a suitable form.

In a suitable form means that all requirements resulting from the activities of the organisation, but also any legal requirements on storage periods and similar requirements, must be fulfilled.

It is recommended to plan a transition phase in which the data transferred to the new storage system is used in actual operations, but in which the old storage system is still accessible so that any problems detected later on can still be solved.

The user data should only be deleted after the transition phase is declared complete. An efficient procedure corresponding to the protection requirements of the data must be selected with the manufacturer and/or supplier. When in doubt, the same procedure used to exchange a single disk of the storage system should be selected for all the disks in the storage system.

Deleting administrative information

The IP addresses of NAS systems or LUNs as well as similar specifications for SAN components must be deleted from the configuration. Likewise, it must be ensured that other miscellaneous administrative information is verifiably deleted. This information includes, for example, the information stored by a web server running as an administration tool on the system.

License key management

It must be checked if there are any software licenses (e.g. for anti-virus software) which are not needed any more and therefore can be cancelled.

Documentation

Final documentation on the data migration and the deletion of the data must be provided.

The contingency planning documentation must be checked. Functional dependencies in planning relevant to the restart procedure after malfunctions must also be adapted to the new configuration. There should be no more references to the de-installed storage system in the contingency planning documentation or in the operational documentation.

Review questions:

© Federal Office for Information Security. All rights reserved.