Disengagement: Common Steps

Question 1

Disengagement Common Steps

Answer 1

1. Return of Equipment
2. Physical Access
3. Certificate of Destruction

Question 2

Disengagement Common Steps
1. Return of Equipment

Answer 2

You may need to return their equipment.
-Router, VPN, connectivity equipment
-IOT device, make sure you have system of record that tracks equipment.

Question 3

Disengagement Common Steps
2. Physical Access

Answer 3

Make sure you’re aware if this is concentrated in one system or other system

Question 4

Disengagement Common Steps
3. Certificate of Destruction

Answer 4

Two Types
1. Paper Certificate
-Generally you get this when your documents are shredded.
-These are fine
-Paper or analog shredded on this date, fully shredded, etc.

2. Digital Certificate
   -Provides more information what was destroyed, how long it took, what time it was destroyed.

Question 5

Connectivity

Answer 5

-Equipment-based, virtual circuit, or file transfer style
-Connection monitoring interlock
-Checklists can be our friend

E.g. New data center to new data center, went through the old data center building was moved over but still 5 VPN concentrators are running.
-Find out these are vendors that have been terminated years ago and no one asked why they’re here and what do we need them for.

Virtual connection
-Work with network monitoring people to looking for virtual connection with the terminated vendor.
-Make sure they’ve been removed from the safe list and add them to the monitor list to make sure they aren’t getting in another way.

-Checklists make sure you get everything you’re supposed to get done.

Question 6

Access

Answer 6

-Physical access
-Terminal, VDI, API, OOB
-Access Reviews

Virtual Access
-Terminal, VDI, API, OOB out of band make sure you understand where the vendor can potentially connect and getting that cut off

Access reviews for that vendors access are part of a review process and that process is closed out.
-Make sure that responsible business party has checked off that person no longer has review.
-Third party make sure they don’t have access.

Question 7

Media and Data Destruction

Answer 7

-Cover Types of Media
-Types of Certificates of Destruction

-Covers the types of media you’re destroying.
-Make sure certificate of destruction explicitly states what needed to be destroyed.
-Digital type of destruction is preferred.

Question 8

Is it really over?

Answer 8

-Goodbye is hard to say…legally
-Don’t go breaking my regulatory heart
-End it already

-Don’t assume that once the relationship is terminated that the data will just go away.
-The data will still be with the vendor for some time for regulatory reasons.
-Update systems of record accordingly.
-Explain exactly how the relationship was in a
professional manner if the vendor was problematic.

Question 9

Disengagement Wrap Up

Answer 9

The ending of a business relationship with a third party is often rushed through or certain activities are overlooked. In this session, we looked at the steps necessary to disengage with your third party with minimal impact to your organization. This may
include continuing to review your third party should they maintain data. The disengagement phase is one of the only phases where it is best practice to have a checklist of items you need to request back or request are destroyed