Retirement is the final phase in the SDLC. In order to enter this phase, the DAA grants authority to retire the system after the Agency CIO approves the proposed system retirement and determines that other USDA systems are not impacted. This section identifies security requirements that need to be performed during this time.
During this phase, consideration should be given to each of the following:
- Information Preservation - Electronic records created or received by the USDA must be managed as federal records, as required by the Federal Records Act, to support USDA business and assure the public that USDA employees are accountable for their actions. Federal electronic records must be managed throughout the records life-cycle to ensure the reliability and authenticity of the USDA’s records as legal evidence of their actions and decisions. Electronic records may be destroyed only in accordance with a records disposition schedule approved by the Archivist of the United States; agencies must consult with the agency records office regarding retaining and archiving federal records.
- Configuration Management and Control - After the decision has been made to retire the system, the final system baseline is frozen and all CM documents are included in the information preservation process.
- Media Sanitization - Make certain that data is deleted, erased, and written over, as necessary. Protection of information system hardware usually requires that residual magnetic or electrical representation of data be deleted, erased, or written over and that any system components with nonvolatile memory are erased. Purging is the removal of data from a storage device at the end of a processing period in such a way that there is assurance, proportional to the sensitivity of the data, and that the data may not be reconstructed except through open-ended laboratory techniques. In some cases, the media itself will need to be destroyed.
- Hardware and Software Disposal - Ensure that hardware and software is disposed of as directed by the Chief Information Security Officer. Hardware and software can be sold, given away, or discarded as provided by applicable law or regulation. The disposition of software should comply with license or other agreements with the developer and with government regulations. There is rarely a need to destroy hardware, except for some storage media that contains sensitive information and that cannot be sanitized without destruction. In situations in which the storage media cannot be sanitized appropriately, removal and physical destruction of the media may be possible so the remaining hardware may be sold or given away. Some systems may contain sensitive information after the storage media is removed. If there is doubt whether sensitive information remains on a system, the Chief Information Security Officer should be consulted before disposing of the system.
No artifacts exist for this phase.
|
|
|
|