Does your company have legacy or systems with unsupported operating systems?  Of course, you understand the compliance and cyber risk of having systems with unsupported operating systems in your environment.  For example, you are probably aware of the $150,000 2014 HHS settlement with Anchorage Community Mental Health Services.  The resolution agreement states:

From January 1, 2008, until March 29, 2012, ACMHS failed to implement
technical security measures to guard against unauthorized access to e-PHI that
is transmitted over an electronic communications network (See 45 C.F.R. §
164.312(e)) by failing to ensure that firewalls were in place with threat
identification monitoring of inbound and outbound traffic and that information
technology resources were both supported and regularly updated with
available patches.

The WannaCry malware is a good example of a real threat that exploits systems running unsupported operating systems.

So, why not replace these archaic and “thorn-in-your-side” systems? Here are some of the reasons: 1) cost. In some instances, the vendor will not allow you to update just the operating systems. You have to buy an entirely new solution.  This can result in a price  tag into the six figures; 2) lack of expertise on the system.  Technical expertise on the unsupported OS or potentially the application that runs on top of it may be absent or sparse.

So, what are some of your options or “Take aways”  in the short-term?

1. Define your risk tolerance.
2. Ensure your asset inventory includes systems with unsupported OS. This inventory needs to have IT and business owners over the assets. The asset inventory should be dynamic and proactively discover new systems with unsupported operating systems or software.
3. Understand and document what compensating controls can be applied to these systems
4. Involve IT and business owners over these systems into the exemption process. Ensure that the risks are explained in their language
5. Ensure there is a policy and legal/contract language that address systems with unsupported software.  Ensure that this policy and legal language is known and understood throughout the organization.
6. Potentially revise your thinking about leveraging Enterprise Agreements.

 

Ben Boswel, at SC Magazine, wrote the following on EAs:

One way to tackle this problem is to change the relationship between organisations and the software and hardware providers they buy from. Many rely on Enterprise Agreements (EAs) whereby vendors agree to sell a specified amount of software and hardware over a certain timeframe. But EAs have been evolving in recent years to offer more support to customers. Many EAs have expanded to include security and software updates.

Large and complex organisations need EAs with a Software as a Service Offering, a contract between customer and supplier whereby hardware and software are fully supported on a rolling basis.

Instead of companies simply buying IT infrastructure from a provider and then having to update, maintain and replace it themselves, under an evolved EA this is largely the vendor’s responsibility. To ensure the best user experience and encourage users to renew, it is always in a vendor’s interests to ensure that their customers are making use of the most up-to-date versions of their software. Vendors can then manage the continued maintenance of these systems. This takes away the burden domestically maintaining systems over a vast and sprawling business network of different systems.

Although used in many areas, in recent years EAs have evolved to better accommodate the changing needs of businesses, who are looking for increasing flexibility. Many EAs now include security, network and other hardware support in the same package as well as being available on a pay-by-usage policy. This means firms can accelerate innovation into their IT systems through just one agreement.

I shared this view of EAs with a VP over IT Infrastructure and Operations.  The VPs response:

Didn’t that used to be called a “Managed Service”? Lots of pro(s) and con(s)…

Very true.

The Take Aways:

1. The review and act on the short term TTAs above
2. Contemplate how to leverage and update the use of EAs.