Create a Policy to Manage Unsupported Software (Part 6 of 7: Mitigating Risks of Unsupported Operating Systems)
Although you can accept the risk of running unsupported software, you should treat it as a temporary strategy. In this post, I discuss the importance of establishing a policy for upgrading, replacing, or retiring unsupported software across the organization.
Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.
The cost and resources required to update unsupported software may be greater than the perceived cost and impact of an adverse event caused by unsupported software. Consequently, based on its risk tolerance, your organization may decide to allow unsupported software on its network. This decision is generally made by IT management during risk management planning. Such a decision implements a solution that should only be short term and temporary.
Senior leadership should fully understand the risks of running unsupported operating systems and establish a policy for preventing unsupported software on its network. Such a policy must be part of your organization's overall risk management program and should direct how software should be maintained.
The policy for upgrading, replacing, or retiring software assets should also align with your organization's risk management plan. It should specifically identify resources and earmark funding to implement the policy.
What You Can Do
- Inform senior leadership about the risks of running unsupported software on your organization's network.
- Establish a policy for preventing unsupported software on your organization's network.
- Ensure the policy aligns with your organization's risk management plan.
- Identify resources and earmark funding to implement the policy.
For more information about planning the management of unsupported software, see OCTAVE Allegro or the Guide for Security-Focused Configuration Management of Information Systems (NIST SP 800-128).
Check back next week to read a summary of the actions you can take to protect your networks from exposure caused by unsupported software, or subscribe to a feed of the Insider Threat Blog to be alerted when a new post is available.