Data center decommissioning: Hyperscale-grade audit compliance checklist

From erasing and shredding drives to recycling or reselling racks, servers, and other equipment, Iron Mountain maintains a fully traceable audit trail – ensuring end-to-end compliance. We stand by our results, and, thanks to our complete chain of custody, our clients have all received flawless results on audits by top-tier, independent auditors.

See how our step-by-step approach to data security compliance works in this audit compliance checklist.

Iron Mountain’s comprehensive approach to data security compliance provides complete traceability and peace of mind. Here’s how it works:

Assets discovered

The first step in establishing a robust audit trail for asset decommissioning is asset discovery, which occurs when we compare your asset list with the results of our discovery process. Our proprietary data sanitisation and compliance software, Teraware^™, automates the discovery of every serialised asset and maintains parent-child data relationships to ensure precise auditing and tracking. More specifically, Teraware identifies server components (e.g., CPU, Memory DIMMs) and key drive attributes (e.g., power-on hours, logical serial number). This information provides a detailed blueprint of the relationships between the rack, server, and drive.

Teraware’s automated reconciliation reporting is critical to establishing accurate inventory and ensuring complete sanitisation.

First reconciliation report generated

Upon completion of asset discovery, we run an automated reconciliation that generates a variance analysis. This analysis serves to:

• Identify variances between discovered assets and your inventory
• Ensure all variances are researched and resolved before advancing in the decommissioning process

Teraware’s automated reconciliation reporting is critical to establishing accurate inventory and ensuring complete sanitisation.

Drives erased

After the first reconciliation, Teraware securely and comprehensively removes all data from functional data storage devices, ensuring data protection and policy compliance. The erasure process involves:

• Setting up a dedicated virtual local area network (VLAN)
• Connecting a Teraware appliance to the assets to be decommissioned via the dedicated VLAN
• Automatically sending agents to every server node in the set of target assets
• Instructing agents to automatically erase data
• Providing job status reporting throughout the process

On average, Teraware successfully erases 95-98% of drives, but typically a small number of drives will fail. For the devices that fail automated erasure, we follow the National Institute of Standards and Technology (NIST) and the National Association for Information Destruction (NAID) guidelines for secure and efficient physical destruction. Leveraging the detailed blueprint created during asset discovery, we can quickly locate and pull the failed devices, then physically scan and mark them for destruction. Physical destruction of data-bearing devices can be completed either on-site, using a mobile shredding unit, or by securely shipping them to an Iron Mountain facility for destruction.

Certificates created Upon completion of the erasure process, we automatically generate a Certificate of Sanitisation for each successfully sanitised drive. For drives that fail the erasure process and undergo physical destruction, we issue Certificates of Destruction.

These certificates serve as essential evidence of complete data elimination, ensuring audit compliance and security throughout the asset lifecycle management process.

Download whitepaper and find out more steps.