welcome back to CyberRays is. Of course, I'm your instructor, Brad Roads. So let's talk about the fifth and final phase of the system development life cycle, and that is disposal.
So we're gonna talk about security activities, linkages and what disposal really is.
So in our our disposal phase, we're going to develop. The transition plan is this is we're going to decide when it is time to turn a system off based on our life cycle planning that we've done throughout, right? And then we're going to figure out,
you know, what are we gonna do next, Right. Are we going when we're talking about the disposal of hardware and software, right. Are we going to reuse it or we're gonna de comet and all that stuff we've talked about that previously
in the s of domains, we have to do sanitization of media. We we can't just take the c d the stack of CDs and throw it in the dumpster and hope that nobody is going to go dumpster diving for because we've talked about that
three or four times in our court. Dumpster diving is still a thing, so please make sure you sanitize your media, and then we obviously probably need to archive critical information. One of the things you need to remember here in the disposal process
is it's not just that we get rid of information. We have to actually work hand in glove with other parts of our organization toe, understand? What do we need to archive? What do we need to store from
a regulatory compliance perspective? And if we get rid of some data that we
should have kept, we could be fined for that. So as Izzy's, we need to understand that archive piece.
Here's our linkages. We've now decided so again, operation and maintenance tends to be the longest phase, uh, in in the system development life cycle we stay. There are long time, depending on the system, the investment, things like that. Then we decide that it's time to disposal. Dispose the system based on the life cycle planning that we've done.
And so this is where we build the plans. We
then have to go through to the actual sanitization. We have toe preserve information. We get rid of things right, and here's important parts here. When we talked about that documentation stuff, we have to have those records. We have toe show and prove and have quality control that we did sanitization appropriately, right? We have to document the closure of a system.
I've worked on government systems that have been closed out before,
Uh, and that documentation gets filed away because if there is ever a liability associated with that system and the way it operated, we have to be able to go back and look at it again. And so when we talk about preserving information, we talk about the formal closure of a system and ending its life, right. And then maybe going on to the next thing of, say, a new system which hopefully
you've been doing along the way. You didn't just
kill the system and are waiting three years for the next one. No, this end of the system right here is very specifically focused on the system that you we've been working on throughout the conversation here on the system development life cycle.
Okay? It is not easy. It is not something that we take lightly. When we get ready to end the system. A system right? We have to review it is it time to really end it, right? We could always go back and say no. We're gonna stay in operation of mates a little longer. Maybe we're waiting on the next generation to arrive, and it's not here yet, so we might delay disposal because of that. Um,
this is all part of what? The change control boards we've talked about. Change management process, configuration control all of that previously.
Well, one of the things that the change control Board does, because again, ending the life of a system ending a system right is a change control matter, right? We're gonna kill a system. The change control board is absolutely involved. And then, of course, we have to review the closure. Right? I put a period on the end of this bullet t to drive home the point that
security view of review of closure. If we don't
look at everything and say, man, did we sanitize things right? Did we archive the right data? Did we document everything correctly? Did we get approval for everything correctly? If we haven't done that
right, then we assist. Sees may not approve
the review of a closure of a system right and I throw the picture of the dumps around here because it seems to be my favorite point. And is that is that Dumpster diving is still a thing. And if you don't dispose of a system properly and you throw a bunch of tech out, I guarantee you that tech is gonna end up
on, you know, in a flea market at a you know, online, somewhere on eBay
being resold and it might not. It might have critical and sensitive information that you don't want out in public. And guess who's responsible for that. If that happens, it's still a breach. The organization is still liable, and that could be a significant problem.
All right, so in this lesson we looked at security activities associated with disposal. We talked about the linkages again, and we we noted that disposal is complex. It is not an easy thing to dispose of a system. It takes a lot of deliberate planning to do it right. We've seen that in a previous Isett domain as well