Application Decommissioning for Information Security, Step 3: Defining the Archiving Plan

Every organization has applications that are no longer needed, but which have been left in place to provide access to historical content. But keeping old applications comes at significant cost.

Now, the decommissioning of such applications is starting to come under the purview of the Chief Information Security Officer (CISO). That's because dormant applications likely contain inactive content which presents a security risk to the organization. For some organizations, the volume of data involved runs, potentially, in to petabytes of information.

But how do you go about decommissioning these dormant applications—and their expensive and increasingly risky content repositories?

In the two previous posts in this series, I discussed how to get stakeholder consensus around the decommissioning endeavor and how to conduct an inventory that helps you identify and prioritize the specific applications which can be retired. In Step 3 of our Application Decommissioning for Information Security blog series, I examine how to define your archiving plan.

Application decommissioning is a long process that needs a clear, actionable plan.

Once you’ve prioritized the systems to retire, you can build a plan for how you’re going to retire them. Given the fact that most organizations will be retiring dozens (if not hundreds) of systems, this will be a long-range plan. Count on a process that takes at least five years.

Remember that this is a program, not a project. You need a clear, actionable plan to succeed, along with the organizational support required to maintain progress year over year.

There’s no sexy, silver bullet for putting such a plan in place. It’s really Program Management 101. It's about blocking and tackling, focusing on execution and maintaining a sustained cadence.

A dedicated program management team is needed.

One thing to consider, especially if your organization is heavily project-focused or if it lacks program management maturity, is building a dedicated program management team to oversee and drive the application decommissioning efforts. That team will need to work over the lifetime of the program, often many years.

If your organization is light on project or program oversight functions, you’ll have challenges ahead. These include: (1) getting your leadership to support the introduction of a “novel” function, and (2) finding the internal expertise and experience needed to do this well.

If your organization already is saturated with project and program oversight functions, you’ll have challenges getting leadership consent to add yet another oversight function. That's especially true if you work in an overly bureaucratic environment.

In either case, you'll need an actionable, long-range plan to both put the program in place and then to manage it. This is critical for the success of your application decommissioning efforts.

The three components of an application decommissioning archival plan:

1. Discover

2. Plan

3. Remediate

The following figure shows a sample roadmap, that includes the three steps—discover, plan and remediate—for a typical application decommissioning initiative.


The next blog in the series is Step 4: How to catalog the data within the target application.

The Doculabs Application Decommissioning Blog Series

Step 1: Getting Your Stakeholders on Board

Step 2: Identify and Prioritize Systems to Retire

Step 3: Defining the Archiving Plan

Step 4: Cataloging Data Within the Target Application

Step 5: Archive and Manage the Content

Step 6: Retire Applications

The CISO's Six-Step Guide to Managing Application Risk

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.