Decommissioning of Third-Parties

Published by Joe D on


  • In the past, have you worked with third-parties and other third-parties that maintained a set or subset of your data?
  • Is it possible that prior third-parties had hardware that was owned by your company?
  • Is it possible that there were network or other communication connections between you and your past third-parties that have not been disconnected?


There are a few steps you should consider when a contract or relationship with a third-party is being terminated:


  1. Collect and review active Business Associate Agreements, Statements of Work, and other engagement contracts
    1. Identify any data feeds and other data transport mechanisms. From this, you should develop a comprehensive list of all interface files, processes, and data transfers
    2. Identify any applications that need to be decommissioned
      1. Production, testing and training, business applications, application and system user IDs, file transmission, ad-hoc processes, batch processes
    3. Identify all credentials that have been established to allow for access or transfer
    4. Identify any application credentials you have established for the decommissioned third-party in your environment
    5. Identify your assets that have been provided to the third-party and must be returned
      1. Workstations
      2. Security Tokens
  • Networking equipment
  1. Are there any obligations to return and/or destroy data?
  2. Collect validation or plan (when data sharing is or will be terminated) and the date when the mechanism to transport will be deactivated
  1. Obtain Certificate of Destruction for data from third-party, if applicable
  2. Verify that all connections and user credentials have been terminated
Categories: Uncategorized