End of Life Operating System Exception Request Procedure
The campus information security standard IT10.5 states that “Current, vendor-supported software and firmware must be used” on client computers.
If there is a legitimate need for a computer to run an out of date operating system, the following procedure must be followed to reduce the risk of the system becoming compromised and to formally file an exception to the security standard. Because out of date operating systems are an exception to a security standard, unit or department head approval is required. The procedure can take an extended amount of time because of the need for unit head signatures. Note: If a system is running an out of date OS and doesn't need to be on the network, please place the MAC into the macdeny filter so it cannot get online in the future.
The exception steps are:
Implement a mitigation strategy for the system to reduce the chance that it will be compromised.
If the device does not require a network connect to operate, disconnect the device from the network
If the device does require a network connection, work with the acting Security Facilitator to determine an appropriate mitigation strategy by sending email to email@example.com.
- Fill out the OS Exception Form located at https://go.illinois.edu/osexception. See the details about the form below. The person filling out the form will get a confirmation email message with the answers they put in the form plus a risk level. If the risk level is 'low', normally an exception will be granted with the required signatures and no other work.
- Once the form is filled out, OPIS will send an approval form to our security liaison (Brian Nicely, firstname.lastname@example.org). He will work with the IT Pro or system owner to get the necessary unit head signatures and the form back to OPIS for approval.
- Once the exception is granted, update the AD object description to include the following: OSException:Windows 7; OSExceptionDate:MM/DD/YYYY; OSExceptionRequestNumber:XXXXXX
OS Exception Form requires the following information.
The form is at https://go.illinois.edu/osexception. The front page of the form explains the need for the process, offers information about mitigation and the consequences of not updating the system. The list below contains all the questions so the data can be gathered before beginning the form.
- Requester Name, email address, phone. The requester should be able to answer questions about the system and the type of data on it.
- Optional alternate contact person. - This would be a good place for the IT Pro contact information.
- Unit/college the system is in.
Physical location and access control - You can list up to 10 systems here if they are the same type and owned by the same unit
- Type of system such as web server, workstation etc. A list to choose from is provided.
- OS that needs the exception
- Location of the system - local area network, campus data center or university controlled cloud system infrastructure
- Who built and is supporting the system
- What types of users have administrative access to the system
- What types of users have non-administrative access to the system.
- How does user authentication occur
- What is the business purpose for continuing to use an outdated OS?
- What would be the approximate cost of replacing or upgrading the system?
- How many systems are in this exception request
- For each of the systems:
- Fully qualified domain name
- IP address
- MAC address
- Firewall group
Data types used in or by the system - This section has a long list of data types such as academic records, HIPAA, etc and you have to indicate 'yes', 'perhaps' or 'no' on its usage.
Criticality of the system
- What is the scope of the system in regards to the university's ability to continue to function
- Record Volume - The number of records or an estimate of the 'order of magnitude' of the data on the system. This is often difficult to do, but best guesses are fine especially if the data is not sensitive.
- Effect of availability - The impact on the organization's ability to function if the system were unavailable. For individual research group systems, this should be "Low". Although the system is critical to the research group, it is usually not critical to the functioning of the entire college.
- Effect of data integrity - View the data integrity at the level of the college or the entire department the system is in.
- Disaster recovery - When would this system need to be brought back up for the successful functioning of the entire unit.