End of Life Policy

Version 1.0

For Students, Faculty, Staff, Guests, Alumni

Purpose

The purpose of this policy is to ensure that the confidentiality, integrity, and availability of IT Resources are kept intact by not utilizing, deploying, relying on hardware, software, or firmware in an End of Life (EOL) status where there is no remediation.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Fordham University’s Information Risk Management Board (IRMB) requires the University and its partners, internal and external, to maintain an EOL plan per the published Vulnerability Management Policy.
  • This EOL policy includes, but is not limited to, operating system (OS), applications, hardware, firmware, services, or subscriptions.
  • When a vendor’s EOL product plan cannot meet the Vulnerability Management Policy requirements, Information Security and Assurance may recommend alternative mitigating controls for EOL technology, such as upgrades, updates, replacements, or decommissions.
    • You must contact Information Security and Assurance to coordinate a formal risk analysis.

Definitions

End of Life (EOL) describes the useful life of an operating system, applications, hardware, firmware, services, or subscriptions. After this period, the vendor will stop updating, supporting, marketing, or selling that particular item. After this period, the manufacturer will stop marketing, selling, or updating that specific item.

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Senior Director of IT Security and Assurance
Approved By: CISO
Approval Date: July 1, 2021

Revision History

Version: Date: Description:
1.0 07/1/2021 Initial document

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.

 Need Help?


Walk-In Centers

McGinley 229 | RH
Lowenstein SL19A | LC

View Our Walk-In Hours