31) Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?
Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. In the notes, please describe how you discover & manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.
What is it?
Running systems and applications that are out of vendor support means that you will not have any way of installing security updates or patches as vulnerabilities are discovered. This in turn means compensating controls will need to be added. These are typically both significantly less effective and costlier than implementing security code fixes through patches.
Because of this, any applications or systems outside of support should be tracked as part of your risk management activities.
Ideally, systems should always be updated or replaced before running out of support. While this can at times be costly, it is often more cost effective than implementing compensating controls and provides better assurance.
Why should I have it?
Systems and applications that are out of support can be a significant area of risk that is difficult to mitigate. They can be dramatically more difficult to manage and add an ever-increasing number of vulnerabilities to the environment. This in turn increases costs and the need to implement and consistently manage additional mitigating controls.
To clients, the presence of out of support systems in your environment can potentially be interpreted as a lack of resource, planning, or failures in IT management. This is one more reason why any unsupported infrastructure should be well documented, justified, and tracked in a register to balance cost and security concerns.
How to implement the control
A risk register must detail what systems are out of support or nearing end of support. It should also list what vulnerabilities are present on unsupported systems, what mitigating controls have been implemented, and justify how the mitigating controls are adequate based on risk assessments performed against the systems.
Ideally, a policy should also be implemented ensuring that systems are not allowed to exit support by applying updates or, alternatively, the finding of alternative solutions. Systems already out of support should be regularly reviewed to identity possible updates or alternative supported solutions as appropriate.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and process that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
