During a hardware refresh, a company retires a 1 U rack-mount server that previously stored sensitive PCI-DSS data. Management decides to repurpose the unit for an isolated QA lab instead of sending it to an electronics recycler. According to accepted decommissioning and recycling best practices, which step must be completed before the server is connected to the lab network?
Remove any production VLAN assignments from the switch port that will serve the repurposed server.
Replace the dual 750 W power supplies with lower-wattage units to reduce energy consumption in the lab.
Retag the chassis with a new asset number and update the configuration-management database.
Perform a NIST SP 800-88-compliant wipe of all installed drives (or replace the drives entirely) to remove residual data.
Before any retired server is reused, every internal storage device must be sanitized (or replaced) so no reconstructable remnants of production data remain. NIST SP 800-88 identifies sanitization as mandatory whenever media leave their original security boundary-even for internal transfer or reuse-because residual data can be recovered with forensic tools. Overwriting, cryptographic erase, or drive replacement eliminates that risk and enables the hardware to be safely redeployed. The other actions (swapping power supplies, removing VLAN tags, or updating asset and CMDB records) may be useful later, but they do not mitigate the immediate data-exposure threat that exists as soon as the server is repowered.