Decommissioning of Third-Parties
- In the past, have you worked with third-parties and other third-parties that maintained a set or subset of your data?
- Is it possible that prior third-parties had hardware that was owned by your company?
- Is it possible that there were network or other communication connections between you and your past third-parties that have not been disconnected?
There are a few steps you should consider when a contract or relationship with a third-party is being terminated:
- Collect and review active Business Associate Agreements, Statements of Work, and other engagement contracts
- Identify any data feeds and other data transport mechanisms. From this, you should develop a comprehensive list of all interface files, processes, and data transfers
- Identify any applications that need to be decommissioned
- Production, testing and training, business applications, application and system user IDs, file transmission, ad-hoc processes, batch processes
- Identify all credentials that have been established to allow for access or transfer
- Identify any application credentials you have established for the decommissioned third-party in your environment
- Identify your assets that have been provided to the third-party and must be returned
- Workstations
- Security Tokens
- Networking equipment
- Are there any obligations to return and/or destroy data?
- Collect validation or plan (when data sharing is or will be terminated) and the date when the mechanism to transport will be deactivated
- Obtain Certificate of Destruction for data from third-party, if applicable
- Verify that all connections and user credentials have been terminated