An auditor recently told me that running end-of-life software is a fairly significant risk and constitutes a compliance violation under many regulatory and compliance standards. Why is this, and which standards in particular frown upon this?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The auditor is entirely correct. Running software that is unsupported by the vendor not only violates a number of regulatory requirements, but also poses a significant security risk to your organization. When vendors completely discontinue support for a product, they no longer produce patches for security vulnerabilities identified in the product. Therefore, organizations running end-of-life software may be subject to vulnerabilities that they have no ability to correct.
Almost every IT compliance regulation that comes to mind requires an organization to take reasonable steps to protect the security of information and/or systems under its control. For example, section 164.308(a)(1)(ii)(B) of the HIPAA Security Rule states that covered entities must "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level." Any company would be hard pressed to argue that running unsupported software has reduced risk to a reasonable and appropriate level, absent some significant compensating controls.
Some regulations also address the issue of end-of-life software directly. For example, PCI DSS section 6.1 states that all organizations must "Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release." If the vendor no longer supplies security patches, you fall outside of compliance as soon as a new vulnerability is discovered.
When deciding whether software has truly reached end of life from a compliance perspective, it's also worth mentioning that not all vendors define "end of life" the same way. In some cases, vendors will actually provide several different EOL milestones. The first milestone might indicate the date that new features will no longer be added to a product, while future milestones might provide timeframes for the end of bug fixes and the end of security patches. As long as the vendor is still issuing security patches -- and those patches are being implemented in a timely fashion -- the organization should be OK from a compliance perspective.
This was first published in October 2013