Information Security Statement on End-of-Life Software

Executive Summary

Running software that is no longer supported by the vendor and unable to receive security updates represents a significant cyber security risk to the University. In order to maintain a strong security posture, Information Security will monitor for non-compliant systems and take appropriate action, including restricting network access and/or removing end-of-life software. The following information provides guidance and support to mitigate this risk.

Introduction

Information Security requires that all devices connected to the University network, or accessing sensitive University data or services, must run vendor-supported software for which security patches are available and installed as specified in the University Acceptable Use Policy and Vulnerability Management Policy. In the context of this statement, software includes both operating systems and applications.

The Information Security team is committed to protecting the University from cyber threats and enforcing security best practices on our network. To reduce risk, enhance our overall security posture, and ensure compliance with regulatory requirements and industry standards, Information Security will begin the process of restricting network access for systems running end-of-life (EOL) operating systems and removing EOL software from University-owned devices.

Following the software lifecycle, vendors will declare a product end-of-life when it will no longer provide security updates or technical support for that product. This applies to operating systems and applications on desktop computers, laptops, servers, and mobile devices, such as tablets and smartphones. Software that has reached EOL is highly vulnerable to emerging threats, including malware, exploits, and other security vulnerabilities. Operating a system on the University network with an end-of-life operating system or application exposes the entire University to an increased risk of unauthorized access, data breach, and service disruption for our students, staff, and faculty.

Risks

Running EOL operating systems or software substantially increases the risk to the University, including the campus network and University systems and data.

These risks include:

1. Security Risk - End of life software is no longer supported by the vendor and will not receive security updates to protect against newly discovered vulnerabilities. Without these updates, systems are vulnerable to exploitation and can be targets for attackers and malware. If exploited, an affected system may be used to gain unauthorized access to other systems, data or accounts. This could potentially lead to a wider scale security incident causing significant service disruptions and financial ramifications for the University.
2. Compliance Risk - Running end-of-life software constitutes a compliance violation under various regulatory and compliance standards which could impact the University’s ability to conduct teaching, learning, research, and business operations. It could also have a significant impact on cyber insurance eligibility and premiums.
3. Incompatibility - As changes are introduced to our computing environment, the focus of testing is on current operating systems and applications. When running outdated software there is no guarantee that integrations and functionality will continue to work as expected. This puts additional strain on already stretched IT resources to investigate issues which would be resolved by upgrading to a supported version.
4. Higher Support Costs  -  Running end-of-life software may lead to higher support costs as staff attempt to keep these systems secure. Legacy systems may also represent a barrier to innovation, leading to delays in forward progress on changes in our environment which could provide a substantial benefit to the broader campus community.

End of Life Dates

CCS (Computing and Communications Services) will monitor and communicate key end of life dates to the University IT community, however system owners are responsible for monitoring their systems to ensure that they are running supported and current software.

Key upcoming EOL dates include, but are not limited to:

• Microsoft Office 2016 and 2019 - October 14, 2025
• Adobe Acrobat Pro 2020 - November 30, 2025
• Microsoft Windows 10 - October 14, 2025
• Microsoft Windows Server 2016 - January 12, 2027

Previous EOL dates include:

• Red Hat Enterprise Linux 7 -June 30, 2024
• Microsoft Windows Server 2012 - October 10, 2023
• Microsoft Windows 7 - January 14, 2020
• Microsoft Windows XP - April 8, 2014
• Red Hat Enterprise Linux 6 - November 30, 2020
• Red Hat Enterprise Linux 5 - March 31, 2018

More information on end-of-life dates for various operating systems and software packages can be found at https://endoflife.date and via the links included below:

• Microsoft Windows EOL dates
• Apple Product Update Information – Please note that Apple does not officially release information on version releases and lifecycles. However, they generally provide support for the three most recent major releases. The above link provides important update information for most Apple products.
• Red Hat Enterprise Linux
• EOL information for CCS Managed Servers
• Mobile Devices - For tablets, phones, and other mobile devices, refer to https://endoflife.date/ or visit the website of the manufacturer for support information.

Enforcement

Information Security constantly monitors the University network for vulnerabilities and security threats, including the detection of systems running outdated operating systems and applications. Information Security also regularly reports on system compliance to the Board of Governor’s Audit and Risk Committee.

To proactively address the risks listed above, CCS Information Security will remove end-of-life software on University-owned devices and restrict network access for devices running EOL operating systems in order to better secure the University from cyber threats. Network access may be suspended with little or to no notice based upon the potential risk associated with any device connecting to the University network, regardless of ownership or department responsibility. Efforts will be made to contact impacted system owners in a timely manner and provide sufficient notice to make alternate plans. System owners are responsible for proactively monitoring the systems they are responsible for and planning and budget refresh efforts appropriately.

Available Options and Mitigating Security Controls

We understand that upgrading software and operating systems is not a trivial task and there may be circumstances where continued use is necessary to maintain business operations of the University. However, the risk associated with end-of-life software and potential impact on the University must not be underestimated.

As the end-of-life date approaches, CCS and Information Security can work with you to understand the available options and mitigating security controls available to ensure your system remains secure and does not put the University at unnecessary risk.

These options include:

1. Upgrade

• For personally owned computers, purchase and download a vender-supported operating system or application version and follow the instructions for installation. Students are entitled to receive Windows for Education at no charge and can be obtained along with other supported software from the Software Distribution website.
• If your computer is managed by CCS, you will be contacted to have your system and/or applications upgraded.
• If your computer is managed by departmental IT staff, contact your departmental IT administrator. 
• If you need assistance with an operating system or application upgrade, contact the CCS Help Centre (IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator.

2. Purchase a new computer
   If your current hardware does not support an updated version of the operating system or software you require, or if you wish to purchase a new University-owned machine, contact CCS Managed Desktops (IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator.

3. Purchase extended support from the vendor
   In some cases, software vendors offer temporary extended support and security updates past the EOL date for an additional cost. While this is a potential temporary solution, it should only be considered after all other mitigation options have been exhausted as it comes with operational and financial challenges. Contact the CCS Help Centre (IThelp@uoguelph.ca or Ext.58888) or your departmental IT administrator.

4. Remove it completely from the network
   In the case of specialized equipment, it may be acceptable to remove  all network access and run  in stand-alone mode. In these cases, contact the Information Security team to ensure this will protect the system and the network adequately.

5. Mitigate the risk and request a security exception 
   There may be valid business reasons why an upgrade is not possible or may be cost-prohibitive for the University. Contact the Information Security team to review potential risk mitigation strategies. The exception process detailed in the Vulnerability Management Policy will be used for all exception requests.

Maintaining the security of the University is a shared responsibility, and the Information Security team appreciates your cooperation and understanding as we work collectively to improve our security posture.

Users with questions or requiring assistance should contact the Information Security team via email (infosec@uoguelph.ca) or the CCS Help Centre (IThelp@uoguelph.ca or Ext.58888). 

CCS Information Security
https://infosec.uoguelph.ca