Ensure appropriate asset retention

Objectives:

At the end of this episode, I will be able to:

Understand and apply the recommended guidance pertinent to how to ensure

appropriate asset retention through your daily practice as an information
security professional.

External Resources:

Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))

Things to consider:

1. Where the asset/data to be retained is

2. What form(s) does the asset/data exist in
3. Who has access to the asset/data
4. How long does the asset/data need to be retained under current conditions of access
5. When will asset/data access be modified / terminated
6. Why is asset/data being retained

The OEM industry uses end of life and end of service/support life terms to
indicate an equipment life cycle stage as it relates to OEM support, marketing,
development, etc.

What are the Stages?:

• GA / Sale Date
• End of Life / End of Sale
• End of Development
• End of Service Life / End of Support

End-of-life (EoL) indicates that a product is at the end of its useful life
(from the vendor's point of view), and a vendor stops marketing, selling, or
sustaining it. The vendor may simply intend to limit or stop support for the
product.

End-of-Service-Life(EOSL) or end of support is when the manufacturer quits

selling a piece of equipment and in most cases no longer provides maintenance
services or updates after a certain date. Basically, EOSL is the final phase of
a piece of an equipment’s lifecycle.

End of life (EOL) support - The OEM continues to offer post-warranty support for
EOL hardware.

End of service life (EOSL) support - In certain cases, the OEM may continue to
provide maintenance support but only by using a Third Party Maintenance (TPM) provider.

End of life and end of service life support - TPM is available for most equipment
in these stages with maintenance that is up to 70% lower than OEM costs.

What is End-of-Life Management?

Management should plan for a system's life cycle, eventual end of life, and any
corresponding security and business impacts.

The institution's strategy should incorporate planned changes to systems, including

an evaluation of the current environment to identify potential vulnerabilities,
upgrade opportunities, or new defense layers.
Also included in this strategy should be considerations for the support provided
by third-party system vendors and the risks related to operating unsupported
legacy systems.

Management should have policies to manage both the hardware and software life
cycles.

Security risks related to reaching a system's end of life include:

(a) the increased potential for vulnerabilities because the third party no
longer provides patches or support
(b) incompatibility with other systems in the institution's environment
(c) limitations in security features in older or obsolete systems

Effective end-of-life management should include the following:

• Maintaining inventories of systems and applications

• Adhering to an approved end-of-life or sunset policy for older systems
• Tracking changes made to the systems and applications, availability of
updates, and the planned end of support by the vendor
• Conducting risk assessments on systems and applications to help determine
end-of-life
• Planning for the replacement of systems nearing obsolescence and complying
with policy requirements for implementing new systems or applications
• Developing specific procedures for the secure destruction or data wiping of
hard drives returned to vendors or donated, to prevent the inadvertent
disclosure of sensitive information

If an end-of-life system or application must remain in use, management should

ensure appropriate mitigating controls are in place, which may include
segregating the system or application from the network.

Management should also have a plan to replace the system or application and
implement compensating controls until replacement.

Strategies for replacing and updating hardware and software should incorporate
and align with overall information security and business strategies as appropriate.