CSSLP Tutorial: Module 07,Part 07 – Software and System Disposal




The final section to module 7 and then of course to the whole course overall is the disposal of both the software and the system.  This is the final element of this chapter, and of course to this course as a whole.  When the software or even the system has outlived its usefulness, then we have to discuss how to dispose of the product.  Sometimes, it’s referred to as sunsetting.  Generally, the criteria will let us know when a good time to decommission the product.  Sometimes vendors will put out other upgraded forms of the software, and then send out a statement of no longer supporting the older version, thus forcing the organization to have to purchase the newest version or upgrades. 

If you can not get the support from the vendor any longer, can not get any more patches or security hotfixes, then it may be time to dispose of the product and purchase upgrades.  Other aspects as to when might the time that the product has outlived its original purpose may include the aspect that the software’s no longer compatible with the environment.  Another product might provide the same functionality that is more cheaper or that is more secure. We could have changed the hardware, and the software doesn’t match with the new materials. Once the decision has been made, there are specific processes on how the sunsetting will evolve.

The sunsetting can occur in a couple of different ways. Either migrating  the data to the new database and then archiving the information,  or decommissioning the software.  The migration of the information in the database from the old to the new still has to be done in a secure manner. So, making sure that the data is backed up and archived is wise, especially prior to destroying the software or system. Sometimes, we look at 3rd party escrow where a third party can be paid to store the archived information.  Maybe we just simply discard the information.  Part of the decision making has be based upon the sensitivity of the information at hand.  If the information is sensitive, typically it is destroyed. But perhaps, we find that the value of the asset and the protection of the data is not as much. So, depending on our policies and what has been decided upon via risk management, the disposal of the software and data elements can either be just simply disposed of or completely destroyed by incineration or some other means.

Continuing the conversation about what we are going to do to handle the information is the discussion of decommissioning the software.   So, part of the strategy is to determine how we are coordinating other systems especially if we’re bringing in new software to the overall process.  So, we have to make sure we have archived our data, that any sort of assets  have been disposed of properly in the manner that is most appropriate for that set of assets.  We also have to make sure that if the information is sensitive, to destroy any remnants of that data.  We might instead just keep an archived storage of the data, depending on whatever our data retention policy might me.  Just like how we have in everything else out of the course, there should be a process in place that is already defined and we should take steps to follow that process in the decommissioning of the system or software product.

So, they kind of lump the last four elements together here in module seven and we covered that quickly. The four elements dealt with deployment, operations, maintenance, and disposal.   These four are lumped together in this last chapter because they represent where we have less and less and less hands on.  We’ve discussed the product development, getting signed off and handing over to the vendor and then module seven where we have the least amount of control over the product.  But, the majority of your test comes from the first six modules. 

The first five are all about  what are the basics for security, how do we get good security requirements, how do we incorporate those requirements into our design, how do we take that design and implement it into code based on the design, how do we test for the secure software, and then how do we turn that over to the customer for signoff or software acceptance. Then, ultimately we deploy it out into the operations. To where it’s continually maintained and monitored.  And then, ultimately at the end of the day, we have disposal. So we covered quite a lot of information for the examination preparations for this class. The CSSLP certification is a great one to get. I’d encourage you to take your time and study well for it, so as to prepare for the certification examination.