Retiring Orphan Applications

by | Aug 18, 2024 | Best Practices, Data Governance, Risk Management, Technical Debt

What is Considered an Orphaned Application?

Every found a server stuck in a closet still running with some application on it? Acquired a company and all of the employees headed straight for the exit? An unlisted application is found on a server that has to be retired?

For our purpose an orphaned application is one where there is little or no information available about what it is and no-one will admit to knowing anything about it. The question is how to responsibly address the application.

We’ll consider the following scenarios:

  • The application cannot be accessed
  • The application can be accessed but a business owner cannot be identified
  • The business owner declines to take accountability for the application

It’s Dead Jim (Application Cannot be Accessed)

A few variants here.

  • There is software sitting on a server but there is no record of its purpose and no associated database can be found.
  • We know what the application was but no-one can remember the password to access the application or the database

If all reasonable efforts have been exhausted to access the application and have failed then the application has to be written off. How this is done will vary according to company policy, but it is critical that there is a written policy that allows the information on the application and the actions taken to access it be documented. If applications are simply deleted without a paper trail you are creating a culture that lacks control which can be used against you by opposing lawyers.

This write off should have both IT and business representation, and if the purpose is known to be compliance related then probably quality as well. 

 

But What is Reasonable?

Basically there is no simple answer to this. Could you have spent more time trying to find documents containing user names and passwords, or software that could crack the database’s native encryption? Of course. But there is diminishing likelihood of success with each successive effort and at some point you have to call it a day, declare the application dead and delete it.

With that said some general suggestions:

  • Say what you do, do what you say. Establish a method and standard for trying to access applications, document it and stick to it.
  • Get input from your Legal department to your process. They are the ones that will have to defend it in court and should be able to give guidance. However, make sure that they understand the realities of the situation and don’t set an unrealistic bar to clear.
  •  If there application’s purpose and/or age is known use that to assess the appropriate effort. A 15 year old finance application is less valuable than a 3 year old pharmaceutical batch record application. 

A Business Owner Cannot be Identified

This situation occurs where the purpose of an application is known but there is no-one in the company that is associated with it or admits to knowing anything about it. And yes – this is far more common than non-garbagemen would expect.

Normally this scenario should be able to be resolved quickly. If it is a finance application it belongs to finance. Manufacturing (or any application) in Germany? The German Managing Director. The issue is normally not one of identification but unwillingness to take accountability, which leads to a question of sponsorship. Have you been given the necessary clout to make the person who inherits responsibility take that responsibility? 

Not My Problem

This is the most common challenge – you know who is the business owner for an application but they have as much enthusiasm for the application as they would a three day dead pigeon at the side of the road.

Fundamentally this is another sponsorship issue – do you have the clout to make them pay the attention to the application that they should? Most of the time you won’t have the ability to simply drop the hammer on them or it isn’t in your long term interest to, so what are they ways to cope with this?

  1. Appeal to their better nature. This normally comes down to the value of the data to them or the technical debt that the application represents. If both are low then move on to step 2.
  2. Get a surrogate to act for them. If you have sufficient sponsorship (read central budget) then see if there is a person who they trust to delegate their role to. Often this might be a retired business person who is willing to take a short-term/part-time role as the business owner for the application. This will often only work if you have multiple applications that they can play this role for but can break log-jams.
  3. Wait until it becomes higher priority. If the data isn’t that valueable, the sytem isn’t that costly and the cyber-security risk isn’t that high then park it and move onto more important applications

Conclusion

Orphan applications are a challenge for all companies as by definition the owner isn’t known. The key as IT Garbagemen (or data archivists if you must) is to not end up holding the pigeon – it isn’t your responsibility. Establish a process for handling this scenario whereby there is a process council to direct this to or at least a contact person in each division.

Otherwise leave the dead pigeon where it is.