E.1.6 Decommission assets

Control Details

Objective

Prevent security attacks through live end-of-life systems and products

Definition

Live but abandoned systems may not get new security patches or be monitored for malicious activity, even though they may be vulnerable to new security threats and can be an attack vector. When a product or system has been declared end-of-life, decommission associated accounts, machines, data, keys, and passwords.

Assessment Questions

1. What decommissioning procedures are in place when a live product or system goes to end-of-life?

Reference sources

1. OWASP-SCVS 5.8
2. 800-161 SA-22