Audit and Assurance

Expand all | Collapse all

Technology Asset Decommissioning Audit - Inputs required

  • 1.  Technology Asset Decommissioning Audit - Inputs required

    Posted 28 Jan, 2020 00:47
    Hey there,

    Can anyone please share the key controls to be implemented for Technology Asset Sanitization and Decommissioning process? Basically, I'm trying to bench mark the Risk Control Matrix (RCM) developed for this audit with your inputs.

    Sharing my thoughts on the risks, please feel free to add more, if I have missed any.

    1. Misuse or theft of technology asset (including data) during or after decommissioning 
    2. Non-compliance to regulatory and legal hold retention policies
    3. Lack of governance and control over third parties (including cloud) performing asset sanitization or destruction
    4. Environmental risks due to asset disposal to be considered.
    5. Lack of adequate communication to the business (basically Data Owner) and related business groups prior to the decommission of any technology hardware (such as server)
    6. Risk of IT Asset register not updated during decommission process. 
    7. Improper shredding / disposal / degaussing of memory enabled technology assets such as HDDs, SSDs, RAM's or ROMs
    8. Lack of governance and management supervision over the asset decommission process 
    9. Lack of maintenance and calibration of asset sanitizing equipments such degausser, shredder and destructor might lead to data being accessible even after sanitization 

    I was relying on the NIST 800-88 standard for developing the RCM for this audit. Here are the links to the standard:

    Initial Version (2006):
    First revision (2014):

    Sripathy Raagav K (SRK)
    Technology Internal Audit - Infrastructure

  • 2.  RE: Technology Asset Decommissioning Audit - Inputs required

    Posted 28 Jan, 2020 03:45
    @Sripathy Raagav K

    A few inputs from my side

    1.When decommissioning assets, best practices include placing them in a quarantined room with restricted and monitored access.
    2.If you are destroying sensitive information internally, many times data is hidden in components other than hard drives or sometimes the hard drives are difficult to find. For the highest levels of security, where sensitive information cannot leave the premises, the room should be equipped with all tools necessary to identify where data resides and destroy the data. This includes a searchable database that can be accessed by on-site personnel to locate and destroy sensitive information​​

    3.Consult with an insurance provider who is experienced in cybersecurity to make sure you have adequate insurance to protect you and your company if you have to make a data breach claim.

    Vikram Raghuveer
    Manager-IT and internal audits