Q

Does running end-of-life software lead to compliance violations?

There are several risks involved when using end-of-life software, including the possibility of compliance violations. Expert Mike Chapple explains.

An auditor recently told me that running end-of-life software is a fairly significant risk and constitutes a compliance...

violation under many regulatory and compliance standards. Why is this, and which standards in particular frown upon this?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The auditor is entirely correct. Running software that is unsupported by the vendor not only violates a number of regulatory requirements, but also poses a significant security risk to your organization. When vendors completely discontinue support for a product, they no longer produce patches for security vulnerabilities identified in the product. Therefore, organizations running end-of-life software may be subject to vulnerabilities that they have no ability to correct.

Almost every IT compliance regulation that comes to mind requires an organization to take reasonable steps to protect the security of information and/or systems under its control. For example, section 164.308(a)(1)(ii)(B) of the HIPAA Security Rule states that covered entities must "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level." Any company would be hard pressed to argue that running unsupported software has reduced risk to a reasonable and appropriate level, absent some significant compensating controls.

Some regulations also address the issue of end-of-life software directly. For example, PCI DSS section 6.1 states that all organizations must "Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release." If the vendor no longer supplies security patches, you fall outside of compliance as soon as a new vulnerability is discovered.

When deciding whether software has truly reached end of life from a compliance perspective, it's also worth mentioning that not all vendors define "end of life" the same way. In some cases, vendors will actually provide several different EOL milestones. The first milestone might indicate the date that new features will no longer be added to a product, while future milestones might provide timeframes for the end of bug fixes and the end of security patches. As long as the vendor is still issuing security patches -- and those patches are being implemented in a timely fashion -- the organization should be OK from a compliance perspective.

This was last published in October 2013

Dig Deeper on IT Security Audits

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

It's very important to keep not only your security software updated with the latest patches but also your systems OS' and operational applications. These can develop vulnerabilities that vendors work to keep patched. So don't complain about having to pay annual maintenance fees. This is the lifeblood of keeping software updated and improved.

Just one example of one of our vendors that we use for managing our secure file transfers. Over time they've consistently kept up with security vulnerabilities, added new features and functionality that keep us on top of addressing the challenges with our trading partners.

Here's just one example of some new features released on the product. http://www.goanywheremft.com/news/news_2014/goanywhere_services_3.4_released

Any viable software vendor should be constantly working to keep their software current and improving functionality. As customers, we need to understand that we provide the income stream for them to accomplish this. If not, then the vendor will have an end of life!
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close