End of Life Policy
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure that the confidentiality, integrity, and availability of IT Resources are kept intact by not utilizing, deploying, relying on hardware, software, or firmware in an End of Life (EOL) status where there is no remediation.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Fordham University’s Information Risk Management Board (IRMB) requires the University and its partners, internal and external, to maintain an EOL plan per the published Vulnerability Management Policy.
- This EOL policy includes, but is not limited to, operating system (OS), applications, hardware, firmware, services, or subscriptions.
- When a vendor’s EOL product plan cannot meet the Vulnerability Management Policy requirements, Information Security and Assurance may recommend alternative mitigating controls for EOL technology, such as upgrades, updates, replacements, or decommissions.
- You must contact Information Security and Assurance to coordinate a formal risk analysis.
Definitions
End of Life (EOL) describes the useful life of an operating system, applications, hardware, firmware, services, or subscriptions. After this period, the vendor will stop updating, supporting, marketing, or selling that particular item. After this period, the manufacturer will stop marketing, selling, or updating that specific item.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Patch Management Policy
- Software Development Life Cycle
- Software Development Life Cycle and Secure SDLC Procedure
- Vulnerability Management Policy
- Vulnerability Management Procedure
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | July 1, 2021 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 07/1/2021 | Initial document |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.