Disposal

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Yes of course I'm your instructor Brad Rhodes.
00:00
Let's talk about the fifth and final phase
00:00
of the system development life cycle
00:00
and that is disposal.
00:00
We're going to talk about security activities,
00:00
linkages and what disposal really is.
00:00
In our disposal phase,
00:00
we're going to develop the transition plan,
00:00
we're going to decide when it is time to turn a system
00:00
off based on our life cycle
00:00
planning that we've done throughout.
00:00
Then we're going to figure
00:00
out what are we going to do next?
00:00
When we're talking about the disposal of
00:00
hardware and software, are we going to reuse it?
00:00
Are we going to decompose it?
00:00
All that stuff we've talked about that
00:00
previously in the sub domains.
00:00
We have to do sanitization of media,
00:00
we can't just take the stack of CD's
00:00
and throw it in the dumpster and hope that
00:00
nobody is going to go dumpster diving for it.
00:00
We've talked about that
00:00
three or four times in our course,
00:00
dumpster diving is still a thing
00:00
so please make sure you sanitize your media.
00:00
Then we obviously probably need
00:00
to archive critical information.
00:00
One of the things you need to remember here in
00:00
the disposal process is
00:00
it's not just that we get rid of information,
00:00
we have to actually work hand in glove with
00:00
other parts of our organization
00:00
to understand what do we need to archive?
00:00
What do we need to store
00:00
from a regulatory compliance perspective?
00:00
If we get rid of some data that we should have kept,
00:00
we could be fined for that,
00:00
so as ECs we need to understand that archive piece.
00:00
Here's our linkages, we've now decided.
00:00
Again, operation and maintenance tends to be
00:00
the longest phase in the system development life cycle,
00:00
we stay there a long time depending on the system,
00:00
the investment things like that.
00:00
Then we decide that it's time to dispose
00:00
our system based on
00:00
the life cycle planning that we've done,
00:00
and so this is where we build the plans.
00:00
We then have to go through and do
00:00
the actual sanitization,
00:00
we have to preserve information,
00:00
we get rid of things. Here's important parts here.
00:00
When we talked about that documentation stuff,
00:00
we have to have those records,
00:00
we have to show and prove and have
00:00
quality control that we did sanitization appropriately,
00:00
we have to document the closure of a system.
00:00
I've worked on government systems
00:00
that have been closed out before,
00:00
and that documentation gets
00:00
filed away because if there is
00:00
ever a liability associated with
00:00
that system and the way it operated,
00:00
we have to be able to go back and look at it again.
00:00
When we talk about preserving information,
00:00
we talk about the formal closure
00:00
of a system and ending its life,
00:00
and then maybe going onto the next thing of say
00:00
a new system which hopefully
00:00
you've been doing along the way,
00:00
you didn't just kill the system and
00:00
are waiting three years for the next one.
00:00
No, this end of the system
00:00
right here is very specifically focused on
00:00
the system that we've been working on throughout
00:00
the conversation here on
00:00
the system development life cycle.
00:00
Disposal is complex.
00:00
It is not easy,
00:00
it is not something that we take lightly.
00:00
When we get ready to end a system,
00:00
we have to review it,
00:00
is it time to really end it?
00:00
We can always go back and say, no,
00:00
we're just seeing operations that makes a little longer,
00:00
maybe we're waiting on
00:00
the next-generation to arrive and it's not here
00:00
yet so we might delay disposal because of that.
00:00
This is all part of what the change control boards.
00:00
We've talked about change management process,
00:00
configuration control all of that previously.
00:00
Well, one of the things that
00:00
the change control board does,
00:00
because again ending a system is a change control map,
00:00
we're going to kill a system, the change control board
00:00
is absolutely involved.
00:00
Then of course we have to review the closure.
00:00
I put a period on the end of this bullet to drive
00:00
home the point that security review of closure,
00:00
if we don't look at everything and say,
00:00
did we sanitize things right?
00:00
Did we archive the right data?
00:00
Did we document everything correctly?
00:00
Did we get approval for everything correctly?
00:00
If we haven't done that,
00:00
then we as ECs may not
00:00
approve the review of a closure of a system.
00:00
I throw the picture of the dumpster
00:00
on here because this [LAUGHTER] seems to be
00:00
my favorite point is
00:00
that dumpster diving is still a thing.
00:00
If you don't dispose off a system
00:00
properly and you throw a bunch of tech out,
00:00
I guarantee you that tech is going to end
00:00
up in a free market,
00:00
online somewhere on eBay being resold.
00:00
It might have critical and sensitive information
00:00
that you don't want out in public,
00:00
and guess who's responsible for that if that happens?
00:00
It's still a breach,
00:00
the organization is still
00:00
liable and that can be a significant problem.
00:00
In this lesson, we looked at
00:00
security activities associated with disposal,
00:00
we've talked about the linkages again.
00:00
We noted that disposal is complex,
00:00
it is not an easy thing to dispose off a system,
00:00
it takes a lot of deliberate planning to do it right,
00:00
and we've seen that in the previous sub domain as well.
Up Next