NCSC Helps Firms Securely Dispose of IT Assets

Organizations looking to securely decommission end-of-life IT assets now have a useful how-to guide published by the National Cyber Security Centre (NCSC).

The agency warned that safely retiring data, software and hardware is a critical endeavor with “potentially severe repercussions” if not done right.

IT assets allowed to continue beyond their lifespan may pose a risk to the organization if they are lost, exploited or accessed by unauthorized individuals, it argued.

Earlier this month, the FBI warned that end-of-life routers are being targeted by threat actors for conscription into botnets.

Published yesterday, the NCSC’s new guidance for technical staff and risk owners argued that all assets should be correctly identified and the accuracy of any associated records validated.

“The goal is to understand the potential impact of the asset’s decommissioning, and ensure that all associated components are accounted for,” it said.

“This is because decommissioning can have broader impacts than are immediately apparent.”

Read more on decommissioning: Cisco Warns of Critical Vulnerability in End-of-Life Routers

There should also be consideration of other assets that may become redundant once the primary asset is decommissioned, the NCSC explained.

Backup, archiving and recovery should be considered to mitigate the risk of things going wrong, or if only part of an asset needs decommissioning, it continued.

Organizations should then sanitize any data in line with NCSC guidance.

According to the NCSC, the decommissioning process itself should include:

• Coordination of decommissioning activities, such as the introduction of replacement assets  
• Effective communications so that everyone who is impacted knows what is happening
• Secure storage of assets while they’re awaiting the next stage of decommissioning, especially if they hold sensitive data
• Ensuring replacement assets are in place and working as expected before any irreversible actions are taken
• Certification and vetting of any third parties set to carry out “sensitive activities”
• Appropriate tracking of any assets that are transferred between individuals or teams

Even after decommissioning, the work continues, with technical staff required to verify the effectiveness of the process.

“During and after the decommissioning process, you should update your asset inventories to accurately reflect the changes in your environment. This ensures a dependable source of truth is available for those who may need to implement changes or manage risks in your environment,” the NCSC concluded.

“Even after completing the decommissioning process, it is important to continue monitoring for any unforeseen impacts that may not have been immediately apparent. In such cases, your backup, archiving, and recovery plans will be critical.”