Standard: ISO / End-of-life operating systems

Scope: Who is covered by this standard?

Any University owned device running an End-of-Life or no longer supported Operating System (Windows, Mac OS, Linux, etc). This includes desktop and laptop computers, tablets and mobile devices, cellular devices, servers and virtual machines, and IoT devices such as security cameras, vending machines, Crestron devices, etc.

Rationale

When operating systems reach their End-of-Life they cease to receive security patches and updates or support from the vendor posing a significant security risk to the device, the data stored on it, as well as other devices and data that can be reached from it.

 

Definitions

  • End-of-Life Operating System (EoL OS): Operating systems for which security patches and updates are no longer provided by the vendor.

Standard

  • Near EoL Operating Systems should be upgraded prior to reaching EoL. Where possible, automated notifications should be sent to local IT support groups at least 30 days prior to an Operating System reaching EoL
  • End users may upgrade Operating Systems themselves or reach out to their local IT support group for assistance in doing so
  • Local IT support groups will be responsible for assisting with upgrades and / or requests for exceptions
  • When an Operating System reaches EoL, a 30 day grace period will be permitted to upgrade the OS or request an exception from this standard. 30 days after an OS becomes EoL devices requesting IP addresses for access ot the University network will be denied*
  • EoL Operating Systems that can obtain extended support for security patches and updates may continue to remain on the network if extended support is purchased and documented as an exception
  • Recognizing the need in a limited number of cases to maintain an EoL Operating System, a process for requesting an exception is available. Devices receiving an exception approval will be placed in isolated networks with other EoL devices. It is highly recommended that strong host-based firewall rules and other compensating controls be implemented on such devices to protect them from other EoL devices in the same networks
  • Exceptions for EoL devices must be renewed on a yearly basis

*Since personally owned devices are not within the scope of this standard, OS fingerprinting checks for obtaining a DHCP lease will only be applied to non-residential wired subnets. University-owned EoL OS devices discovered on wireless subnets can and will be blocked manually by MAC address.

 

Exceptions

Any exceptions to this standard require approval from the Information Security Officer before they can be implemented. All exceptions will be reviewed every 12 months to ensure they are still appropriate and necessary.

Standard Administration

Next Review Date

  • 12/01/2024

 

Responsible Officer

  • Vice President for Information Technology & Chief Information Officer

 

Contact

  • Assistant VP for IT Services Security, Compliance, and Risk Management

 

Approval(s) and Date(s)

  • Initial Approval: 01 December 2022

 

Print Article