Upgrade /Decommission

This stage involves retiring or removing a software system from service. The software may then be replaced by new or upgraded software. The process and activities in this stage should ensure the orderly termination of the system, while preserving the vital information about the system so that the relevant information may be reactivated, migrated or archived in accordance with regulations and policies. Key activities that should be performed in this stage include:

• Preservation of data and information  [Mandatory] - An institution should select an archival method that would facilitate information retrieval in the future. This should take into consideration that the following:
  o    Obsolescence or unavailability of the archival technology in the future
  o    Legal and regulatory obligations for minimum records retention periods
• The archived information should also be marked and handled in compliance with its security classification.
• Sanitize media  [Mandatory] - Based on the security classification of the system and its information, an institution should sanitize the system’s digital media using approved equipment, techniques and procedures according to relevant policies and regulations. The system's owner should categorize the information, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the appropriate sanitization process. 
• Secure Disposal [Mandatory] - Secure disposal addresses the proper disposal of the information, hardware, and software in a manner that prevents any possibility of unauthorized leakage of sensitive data. This also includes the proper preservation and archival of data processed by the system in accordance with the organization’s security requirements. The disposal of software should comply with license agreements.