End of Life Policy
Version 1.1
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure that the confidentiality, integrity, and availability of IT Resources are kept intact by not utilizing, deploying, relying on hardware, software, or firmware in an End of Life (EOL) status where there is no remediation.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Users must maintain an EOL actionable plan adhering to the Vulnerability Management Policy.
- This policy includes, but is not limited to, operating systems (OS), applications, hardware, firmware, services, or subscriptions.
- You must contact Information Security and Assurance to coordinate a remediation plan when a vendor’s EOL product plan cannot meet the Vulnerability Management Policy requirements.
- Information Security and Assurance may recommend alternative mitigating controls for EOL technology, such as upgrades, updates, replacements, or decommissions.
Definitions
End of Life (EOL) denotes the operational lifespan of an operating system, applications, hardware, firmware, services, or subscriptions. Subsequent to this timeframe, the vendor or manufacturer will discontinue updating, supporting, marketing, or selling certain goods or services.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Patch Management Policy
- Software Development Life Cycle
- Software Development Life Cycle and Secure SDLC Procedure
- Vulnerability Management Policy
- Vulnerability Management Procedure
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | July 1, 2021 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 07/1/2021 | Initial document |
| 1.1 | 07/15/2024 | Updated definitions, statement, scope, disclaimer |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.