An auditor recently told me that running end-of-life software is a fairly significant risk and constitutes a compliance
violation under many regulatory and compliance standards. Why is this, and which standards in particular frown upon this?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The auditor is entirely correct. Running software that is unsupported by the vendor not only violates a number of regulatory requirements, but also poses a significant security risk to your organization. When vendors completely discontinue support for a product, they no longer produce patches for security vulnerabilities identified in the product. Therefore, organizations running end-of-life software may be subject to vulnerabilities that they have no ability to correct.
Almost every IT compliance regulation that comes to mind requires an organization to take reasonable steps to protect the security of information and/or systems under its control. For example, section 164.308(a)(1)(ii)(B) of the HIPAA Security Rule states that covered entities must "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level." Any company would be hard pressed to argue that running unsupported software has reduced risk to a reasonable and appropriate level, absent some significant compensating controls.
Some regulations also address the issue of end-of-life software directly. For example, PCI DSS section 6.1 states that all organizations must "Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release." If the vendor no longer supplies security patches, you fall outside of compliance as soon as a new vulnerability is discovered.
When deciding whether software has truly reached end of life from a compliance perspective, it's also worth mentioning that not all vendors define "end of life" the same way. In some cases, vendors will actually provide several different EOL milestones. The first milestone might indicate the date that new features will no longer be added to a product, while future milestones might provide timeframes for the end of bug fixes and the end of security patches. As long as the vendor is still issuing security patches -- and those patches are being implemented in a timely fashion -- the organization should be OK from a compliance perspective.
Dig deeper on IT Security Audits
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.