DTS POLICY 4000-0007
Policy Type: Internal Policy
Authority: UCA §63F-1-104 et seq. (Utah Technology Governance Act), UCA §63F-1-206 et seq. (Rulemaking—Policies), UCA §63F-1-103 et seq. (Department of Technology Services Authority)
Submitted On: NA
Submitted By: Paul Kearsley
Approved By: Michael Hussey
Issue Date: NA
Effective Date: April 10, 2018
Last Revised Date: March 27, 2019
Last Revised By: Paul Kearsley
Last Approved By: NA
Last Reviewed Date: July 2020
Last Reviewed By: Paul Kearsley
Next Review: July 2021
The purpose of this policy is to set a standard to maintain currently supported versions of operating systems, software solutions, and environments in order to reduce the security risk to resources on the State network.
In addition to offering support and updates/patches for products they manufacture, IT vendors also establish “end of life,” “no longer supported,” and “not recommended to operate” dates for products. Vendors ensure that this important information is widely available for customers, producing a lifecycle for each product and providing advance notifications of the dates when product versions will no longer be supported. When a product, whether it be hardware or software, reaches its end of life date, the product vendor discontinues security patches, software updates, and technical support for IT components of that product. When this happens, the potential of introducing vulnerabilities increases significantly and jeopardizes the overall security of a system.
Unsupported or out-of-date operating systems, software platforms, or environments have the potential of putting all agencies at risk. Furthermore, running an unsupportable environment means that additional resources may be needed to provide internal support for these systems, which, in turn, causes an increase in overhead support costs and, potentially, DTS cost overall. This DTS Policy for Software and Infrastructure aims to prevent the use of unsupported or outdated environments in an effort to ensure the security of the State network and prevent unnecessary overhead costs for DTS.
This policy applies to all servers, software platforms, PCs, mobile devices, and environments that connect to the State of Utah network.
There are no exceptions to this policy unless an exception is approved, in writing, by the Chief Information Officer and Chief Information Security Officer.
To maintain security of, set consistent standards for, and ensure supportability of all products, DTS will follow the manufacturer-recommended lifecycle for software and infrastructure products and will not allow State-owned products that have reached their end of life date to remain on or have access to the State network.