An auditor recently told me that running end-of-life software is a fairly significant risk and constitutes a compliance...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
violation under many regulatory and compliance standards. Why is this, and which standards in particular frown upon this?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The auditor is entirely correct. Running software that is unsupported by the vendor not only violates a number of regulatory requirements, but also poses a significant security risk to your organization. When vendors completely discontinue support for a product, they no longer produce patches for security vulnerabilities identified in the product. Therefore, organizations running end-of-life software may be subject to vulnerabilities that they have no ability to correct.
Almost every IT compliance regulation that comes to mind requires an organization to take reasonable steps to protect the security of information and/or systems under its control. For example, section 164.308(a)(1)(ii)(B) of the HIPAA Security Rule states that covered entities must "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level." Any company would be hard pressed to argue that running unsupported software has reduced risk to a reasonable and appropriate level, absent some significant compensating controls.
Some regulations also address the issue of end-of-life software directly. For example, PCI DSS section 6.1 states that all organizations must "Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release." If the vendor no longer supplies security patches, you fall outside of compliance as soon as a new vulnerability is discovered.
When deciding whether software has truly reached end of life from a compliance perspective, it's also worth mentioning that not all vendors define "end of life" the same way. In some cases, vendors will actually provide several different EOL milestones. The first milestone might indicate the date that new features will no longer be added to a product, while future milestones might provide timeframes for the end of bug fixes and the end of security patches. As long as the vendor is still issuing security patches -- and those patches are being implemented in a timely fashion -- the organization should be OK from a compliance perspective.
Dig Deeper on IT Security Audits
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.