We have discussed how a data auditing tool can help you to stay compliant with the latest regulations on this blog, but we have yet to go over how the software you implement at your organization directly affects your compliance as well. In this case we want to explain how and why end-of-life software of any kind threathens your regulatory compliance.
Let’s start by defining end of life software (we will refer to it as EOL). As Tech Target explains, issue lies with coming up with a complete definition in the first place due to that fact that “not all vendors define “end of life” the same way.” According to PC’s encyclopedia however, EOL software is defined as such:
Refers to hardware and software that is no longer manufactured or supported. An end of life announcement by a vendor stipulates when the manufacturing will end, or if already ended, how far into the future support for the product will be provided.
How can that make an organization non-compliant, you are wondering? The issue with EOL software is that the vendor you purchased the software from is no longer maintaining and updating the software to adjust to the changing technological and commerical landscape. Without the proper support and updates to a product, you are bound to be left with gaps that create risk and reduce security.
There is verbage in many of the current governmental regulations that speaks directly to the concept of keeping your software solutions up to date. For example, the PCI DSS (Payment Card Industry Data Security Standards) states that organizations must “ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” Running EOL software would be in direct violation of these standards.
So what do you do? The safest thing to do once you find out that a vendor is discontinuing software implemented at your organization is to find a new valid solution and start the deployment process as soon as possible. The sooner a new solution is implemented, the less risk you run of having out of date and potentially breachable software. And just in case you were wondering why it is so important to be perpetually compliant here are just a few things that can happen to you and your organization if you are found to be non-compliant:
- Insurance claims
- Cancelled accounts
- Payment card issuer fines
- Government fines
How do you know when a software you have is reaching end of life? Here are some things that your IT department should look out for in order to gauge when a software is coming to the end of its life:
- The vendor announces there will be no additional features added to the software
- The vendor announces there will be no future releases of the software
Many organizations are currently faced with the concern of being non-compliant in conjunction with Microsoft’s announcement that they will end support for Windows XP and Office 2003 by 8 April, 2014. Due to long deployments, organizations that have not yet begun transferring over to new versions of Microsoft or another solution are already behind. Gartner has predicted that more than 15% of medium and large enterprises will still have Windows XP running on at least 10% of their PCs after Microsoft support ends in April 2014.
The key to compliance in this situation is preparedness and urgency. Make sure your organization keeps open communication with its software vendors. Vigilance will take an organization a long way by the way of compliance.
Want to make compliance a priority at your organization in 2014? Watch how this valuable data auditing tool (Observato) can ensure that your data is fully compliant.