DTS POLICY 4000-0007
Policy Type: Internal Policy
Section/Group: Operations
Authority: UCA §63A-16-104 et seq. (Utah Technology Governance Act), UCA §63A-16-206 et seq. (Rulemaking—Policies), UCA §63A-16-103 et seq. (Division of Technology Services Authority)
Document History
Original Submission
Submitted On: NA
Submitted By: Paul Kearsley
Approved By: Michael Hussey
Issue Date: NA
Effective Date: April 10, 2018
Revisions
Last Revised Date: August 31, 2023
Last Revised By: Patrick Funk
Last Approved By: Alan Fuller
Reviews
Last Reviewed Date: August 2023
Last Reviewed By: Patrick Funk
Next Review: August 2024
1.0 Purpose
The purpose of this policy is to set a standard to maintain currently supported versions of operating systems, software solutions, and environments in order to reduce the security risk to resources on the State network.
1.1 Background
In addition to offering support and updates/patches for products they manufacture, IT vendors also establish “end of life,” “no longer supported,” and “not recommended to operate” dates for products. Vendors ensure that this important information is widely available for customers, producing a lifecycle for each product and providing advance notifications of the dates when product versions will no longer be supported. When a product, whether it be hardware or software, reaches its end of life date, the product vendor discontinues security patches, software updates, and technical support for IT components of that product. When this happens, the potential of introducing vulnerabilities increases significantly and jeopardizes the overall security of a system.
Unsupported or out-of-date operating systems, software platforms, or environments have the potential of putting the State and its agencies at risk. Furthermore, running an unsupportable environment means that additional resources may be needed to provide internal support for these systems. This, in turn, causes an increase in DTS overhead support costs. This DTS Policy for Software and Infrastructure aims to prevent the use of unsupported or outdated environments in an effort to ensure the security of the State network and prevent unnecessary overhead costs for DTS.
1.2 Scope
This policy applies to all servers, software platforms, PCs/laptops, mobile devices, and environments that connect to the State of Utah network.
1.3 Exceptions
There are no exceptions to this policy unless an exception is approved, in writing, by the Chief Information Officer and Chief Information Security Officer.
2.0 Policy
- To maintain security of, set consistent standards for, and ensure supportability of all products, DTS will follow the manufacturer-recommended lifecycle for software and infrastructure products and will not allow State-owned products that have reached their end-of-life (EOL) and/or end-of-support (EOS) date to remain on or have access to the State network.
- Agencies that may, on occasion, have products on the State network that are EOL and/or EOS will be given a 30 day notice by DTS to upgrade or remove the products before they are automatically removed or quarantined. This is in order to provide the required cyber-security as required by regulated entities (i.e. IRS Publication 1075, CJIS, PCI, etc.).