End of Life Operating System Exception Request Procedure

Any computer on EngineeringIT networks must be running a supported operating system (OS). If a system must run an outdated OS, file an exception for the computer by following this procedure.

The campus information security standard IT10.5 states that “Current, vendor-supported software and firmware must be used” on client computers.

If there is a legitimate need for a computer to run an out of date operating system, the following procedure must be followed to reduce the risk of the system becoming compromised and to formally file an exception to the security standard. Because out of date operating systems are an exception to a security standard, unit or department head approval is required.  The procedure can take an extended amount of time because of the need for unit head signatures. Note: Even if a system running an out of date OS doesn't need to be on the network, and exception must still be filed.

The exception steps are:

  1. Implement a mitigation strategy for the system to reduce the chance that it will be compromised.

    1. If the device does not require a network connect to operate, disconnect the device from the network

    2. If the device does require a network connection, work with NSG to determine an appropriate mitigation strategy by sending email to engrit-security@illinois.edu.

  2. Fill out the OS Exception Form located at https://go.illinois.edu/osexception. See the details about the form below. The person filling out the form will get a confirmation email message with the answers they put in the form plus a risk level. If the risk level is 'low', normally an exception will be granted with the required signatures and no other work.
  3. Once the form is filled out, OPIS will send an approval form to our security liaison (Sandra Thompson, sthomp@illinois.edu). She will work with the IT Pro or system owner to get the necessary unit head signatures and the form back to OPIS for approval.
  4. Once the exception is granted, update the AD object description to include the following: OSException:Windows 7; OSExceptionDate:MM/DD/YYYY; OSExceptionRequestNumber:XXXXXX

OS Exception Form requires the following information.

The form is at https://go.illinois.edu/osexception. The front page of the form explains the need for the process, offers information about mitigation and the consequences of not updating the system. The list below contains all the questions so the data can be gathered before beginning the form.

Requester information

Physical location and access control -  You can list up to 10 systems here if they are the same type and owned by the same unit

Data types used in or by the system  - This section has a long list of data types such as academic records, HIPAA, etc and you have to indicate 'yes', 'perhaps' or 'no' on its usage.

Criticality of the system