S 4.234 Orderly withdrawal from operation of IT systems and data media

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Specialists Responsible, Employee, Administrator

The technology of IT systems and data media is subject to constant change. For this reason, they are replaced more often than many other types of work material. Before an IT system or data medium is taken out of operation, it must be clarified how it will be taken out of operation and how the information stored on it should be handled. In particular, it must be ensured that no important data stored on the data medium is lost and that no confidential data is left on the data medium.

Before disposing of IT systems or data media, they must be examined to check if there is any data stored on them that is still needed. This data must be saved to other data media or archived. The data should also be checked to ensure it was actually saved correctly. Additional information on this subject can be found in modules S 1.4 Data backup policy and S 1.12 Archiving.

When withdrawing an IT system from operation, it should also be checked if there are still data backup media available that were used during the operation of the IT system. These media also need to be erased or made unusable if the data stored on them is not needed any more.

After that, it is necessary to clarify if the IT systems or data media will be destroyed or given to third parties. In many cases, IT systems are reused after disposal. For example, IT systems taken out of operation in one department are often given to another department, given to employees or sold. In addition, it must be specified how the information stored on them will be saved for further use, secured, or reliably deleted.

If the data media will be passed on to external parties, then they must be overwritten using a secure method. Even if there is apparently no more information requiring protection on them at first glance, such data may just have been inadequately deleted, and it may still be possible to find hidden pieces of data on them in this case. It must be ensured that all data and applications are carefully deleted before giving the data media to outsiders (see also S 2.433 Overview of the methods for deleting and destroying data).

If data with a high protection requirement was stored on the data media, then the methods used to reliably delete this data often require the physical destruction of the data media.

When specifying the procedures for withdrawing IT systems and data media from operation, you must not forget devices that are not really perceived as being IT systems but which can still contain large amounts of confidential data (e.g. mobile telephones, printers, copiers and fax machines). For example, if fax machines are to be sold or given to third parties, then it must be ensured that the internal memory containing fax connection data and fax contents is securely erased. In addition, all IDs and labels on the devices and data media that could provide information on their previous use or purpose, for example labels with the names and IP addresses of computers, should be removed.

Likewise, it is necessary to securely erase and dispose of the IT systems and storage media whose operation and/or maintenance was outsourced. How to securely withdraw these from operation, including how they will be disposed of or returned to the owner, must be specified in the corresponding contracts.

The procedure for withdrawing IT systems and data media from operation in the organisation must be clearly documented. It is recommended to create a checklist based on the recommendations provided above that can then be used when withdrawing an IT system from operation. This helps to prevent individual steps from being forgotten. It is recommended to have the completion of each step confirmed in writing by the person responsible for performing the step.

Review questions:

© Federal Office for Information Security. All rights reserved.