IT Security Outsourced IT

Legacy System Decommission Planning

What is Legacy System Decommission Planning?

Legacy systems encompass elements such as computer systems, software applications, and specific software processes or technologies that: 1. No longer receive support and maintenance; 2. Are based on outdated technology; and 3. Are unavailable for purchase. There are many reasons why organizations might maintain and/or retain legacy systems, such as:

  • Difficulty finding replacements;
  • Difficulty creating new systems with identical features;
  • Perceived risks associated with changing the system, such as data loss or data corruption;
  • Resistance to change;
  • Existing projects or contracts require the use of the original software or hardware;
  • Difficult to orchestrate system change;
  • Expense.

While there may be practical reasons to maintain and/or retain legacy systems, there plenty of risks associated with keeping them, such as instability, incompatibility, vulnerability, inefficiency, lack of scalability, lack of mobility, and expense. If you have evaluated the opportunities and challenges associated with decommissioning your legacy systems, and decide that the time is right to decommission, the following plan can help you to undertake this complex task1:

  1. Review and understand contract language of legacy system to determine decommissioning activities, including licensing expirations, contract expirations, options to extend, etc. for both software and infrastructure contracts, and the operations and maintenance support contracts
  2. Identify application components (i.e. classify components to be decommissioned such as testing or production environments, systems user IDs, and business applications)
  3. Ascertain hardware components – if applicable (i.e. ascertain where infrastructure is in its maintenance/resource life cycle)
  4. Pinpoint network devices
  5. Work with system owner and other key stakeholders of the legacy system to establish how far back to archive data, what data will be migrated, and timelines for migration
  6. Identify any records to be disposed of in accordance with the records retention schedule
  7. Identify network, software and hardware location/ownership (i.e. activities include but are not limited to population of assets, management of data stores and development and validation of assets)
  8. Prioritize decommission effort (i.e. which components are simple versus complex to offline)
  9. Identify failover/offline procedures (i.e. have components backup/archive current state been verified)
  10. Coordinate with IT to identify guidelines for managing/cleansing the data
  11. Draft Decommission Plan with timelines and key activities for retiring legacy system (based on activities noted above)

1 Office of Shared Solutions and Performance Improvement, 2023, “2.8 Develop a Decommission Plan”