A crucial aspect of system upgrade is the meticulous decommissioning of old IT assets, requiring careful data handling to prevent potential breaches and ensure compliance with laws & regulations. Securely wiping data from the old device is crucial after transferring it to the new device to prevent unauthorized access. Strict compliance with data protection and environmental standards is essential to comply with laws governing business. IT asset managers need to adhere to a comprehensive checklist to ensure a seamless system hardware upgrade. While focusing on the essential aspects of data classification, inventorying, backups, and component selection is important, it's equally crucial to consider data sanitization as a key pointer in your hardware upgrade checklist.
Checklist for Upgrading System Hardware
The following checklist provides a structured approach for IT asset managers (ITAM) and administrators while upgrading system hardware.
Data Classification and Inventorying
Before system hardware upgrades and asset decommissioning, effective data classification is critical. Data needs to be classified based on its sensitivity, confidentiality, and criticality. Data inventory helps outline the complete record of data assets, their locations, data format, usage, and the data owners. ITAM can do the following:
- Assess risks, identify key data, and assign risk categories (low, moderate, high).
- Create a classification policy outlining data sensitivity levels (public, internal, confidential, restricted) and handling processes accordingly.
- Categorize data by type (documents, databases) and purpose (financial, operational).
- Identify data locations throughout the organization, including flow, lifetime, ownership, and custodians.
- Use the categorization policy for data labeling and tagging.
Adopting a systematic approach is critical to ensuring data security and compliance during hardware migrations, such as following ISO 27001 Annex A 5.12, which discusses information categorization.
Data Backup and Verification
A comprehensive data backup plan is required before initiating any hardware upgrades. In addition to safeguarding against unexpected issues during the upgrade, having a backup ensures the preservation of critical data and a smoother recovery process.
The processes of data backup and verification must adhere to established standards followed by businesses, such as ISO 27001, ISO 27002, and ISO 27040. In accordance with ISO 27002 8.13 and ISO 27040 6.3, data backup policies must cover both on-premise and cloud systems. These policies should clearly define their scope, frequency, format, retention, and roles. ISO 27002 8.13 and ISO 27040 6.4 recommend using checksums, hashes, or digital signatures to verify data integrity.
Perform Data Sanitization
Before retiring or selling old hardware components, data sanitization must be prioritized. Wipe storage devices thoroughly to remove all traces of sensitive information, reducing the risk of data breaches or unauthorized access to the personal data of customers, investors, or employees. IT administrators must adhere to a comprehensive media data sanitization policy as laid down by the organization. Generally, a data sanitization policy outlines the types of data and devices requiring sanitization, data erasure standards to be used in compliance with legal and regulatory mandates, and the definition of staff roles.
Additionally, the ITAM must audit records that affirm secure data destruction is performed on the devices retired in order to meet compliance.
ITAMs must choose the right data destruction software and avoid getting trapped with freely available software like DBan that do not generate proof of data destruction. Auditors will demand a data erasure certificate in order to verify the data is destroyed. BitRaser is a recommended tool that helps erase drives and devices securely using international standards of data erasure like DoD 3 pass, NIST Clear, NIST Purge, etc.
Note: Organizations can refer to the original NIST guidelines for media sanitization. Alternatively, the IEEE 2883-2022 standard provides current media sanitization best practices for storage media.
Handling of Failed Media Sanitization
In the event of failed media sanitization attempts, IT administrators are advised to isolate and label the media with bad sectors. Drives with bad sectors cannot be erased and need to be physically destroyed as per NIST guidelines. Records of physical destruction must also be maintained.
Configure New Hardware: Update Software and Install Operating System
Now that the old hardware is sanitized, the new hardware needs to be ready. Retrieve data backup on new hardware and ensure that your software applications are up to date. Check for updates on essential software, including drivers, antivirus programs, and commonly used applications. Verify the compatibility of software with the new hardware components. If the hardware upgrade involves a major change, such as a new motherboard or CPU, consider reinstalling the operating system and software for optimal performance. Alternatively, use migration tools to transfer the operating system and software to the new hardware while preserving settings and data.
Addressing Data Breach Risks in IT Hardware Upgrades
Following proper data disposal practices is essential when companies upgrade their system hardware. A classic example is the Morgan Stanley data breach case, where the organization was penalized twice with $60 Million and $35 Million for Improper disposal of their IT assets. In 2016, Morgan Stanley suffered a data breach and faced legal and financial repercussions due to a lack of due diligence in their data disposal practices.
This situation highlighted the need for thorough due diligence and effective data protection strategies in outsourcing data wiping tasks of decommissioned hardware.
To avert an outcome similar to Morgan Stanley's, it is imperative for the responsible party, typically the IT administrator, to rigorously enforce stringent data management practices during system upgrades. This approach is crucial to meticulously managing the end-of-life process of system hardware, ensuring decommissioned assets do not become potential liabilities.
+1-844-775-0101
