An auditor recently told me that running end-of-life software is a fairly significant risk and constitutes a compliance violation under many regulatory and compliance standards. Why is this, and which standards in particular frown upon this?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The auditor is entirely correct. Running software that is unsupported by the vendor not only violates a number of regulatory requirements, but also poses a significant security risk to your organization. When vendors completely discontinue support for a product, they no longer produce patches for security vulnerabilities identified in the product. Therefore, organizations running end-of-life software may be subject to vulnerabilities that they have no ability to correct.
Almost every IT compliance regulation that comes to mind requires an organization to take reasonable steps to protect the security of information and/or systems under its control. For example, section 164.308(a)(1)(ii)(B) of the HIPAA Security Rule states that covered entities must "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level." Any company would be hard pressed to argue that running unsupported software has reduced risk to a reasonable and appropriate level, absent some significant compensating controls.
Some regulations also address the issue of end-of-life software directly. For example, PCI DSS section 6.1 states that all organizations must "Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release." If the vendor no longer supplies security patches, you fall outside of compliance as soon as a new vulnerability is discovered.
When deciding whether software has truly reached end of life from a compliance perspective, it's also worth mentioning that not all vendors define "end of life" the same way. In some cases, vendors will actually provide several different EOL milestones. The first milestone might indicate the date that new features will no longer be added to a product, while future milestones might provide timeframes for the end of bug fixes and the end of security patches. As long as the vendor is still issuing security patches -- and those patches are being implemented in a timely fashion -- the organization should be OK from a compliance perspective.
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.