Skip to main content

End of Life Policy

Version 1.0

Purpose

The purpose of this policy is to ensure that the confidentiality, integrity, availability of IT Resources is kept intact by not utilizing, deploying, relying on hardware, software, or firmware in an End of Life (EOL) status where there is no remediation.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Fordham University’s Information Risk Management Board (IRMB) requires the University and its partners, internal and external, to maintain an EOL plan per the published Vulnerability Management Policy.
  • This EOL policy includes, but is not limited to, operating system (OS), applications, hardware, firmware, services, or subscriptions.
  • When a vendor’s EOL product plan cannot meet the Vulnerability Management Policy requirements, the University Information Security Office (UISO) may recommend alternative mitigating controls for EOL technology, such as upgrades, updates, replacements, or decommissions.
    • You must contact the UISO to coordinate a formal risk analysis.

Definitions

End of Life (EOL) describes the useful life of an operating system, applications, hardware, firmware, services, or subscriptions. After this period, the vendor will stop updating, supporting, marketing, or selling that particular item. After this period, the manufacturer will stop marketing, selling, or updating that specific item.

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Director, IT Security
Approved By: CISO
Approval Date: July 1, 2021

Revision History

Version: Date: Description:
1.0 07/1/2021 Initial document

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.