Systems and Applications Lifecycle Management Procedure

Overview

Procedure for ensuring compliance with the Information Security Office's Systems and Applications Lifecycle Management Standard. 

• As vendors cannot support all previous versions of software, older programs are phased out and must be upgraded or removed from the network.
• It's crucial to monitor your operating system's end-of-life status, as major upgrades often require time and planning.

Follow the steps below to ensure compliance with the standard:

1. Annual Vendor Review: Each year, review the vendor information for all operating systems and applications within your area. Some vendor information is provided below. 
2. Planning for Updates: Develop plans to ensure timely replacement, upgrades, or decommissioning of operating systems and applications in advance to the end of life date. For timelines addressing vulnerabilities, refer to the Vulnerability Management Standard.

Windows

Microsoft provides current lifecycle information for Windows operating systems. If your Windows version is past its extended support date or not listed, it is unsupported, and you must retire or upgrade to a supported version. When planning department equipment purchases and upgrades, consider any upcoming end-of-life dates for your Windows version. 

You can find Microsoft Lifecycle listings on their website: Lifecycle FAQ - Windows (Microsoft Learn)

macOS 

Although Apple does not officially announce the end of support for macOS, security updates addressing critical vulnerabilities are typically released only for the current and one previous version. Unsupported operating systems with security vulnerabilities will be considered insecure. macOS users should regularly upgrade their systems as new versions are released. We recommend updating to the latest version or one previous version within 90 days of a new release. 
 
You can find a list of current security updates on the Apple Support site.

Other Operating Systems 

Verify with your vendor whether your version is still supported and receiving security updates for known vulnerabilities. Operating system and network device vendors often publish lifecycle information to assist with upgrade planning: 

• Debian
• Juniper
• Red Hat Enterprise Linux
• Solaris

Applications

Consult with the application developer or vendor to ensure you are using a version that continues to receive necessary security updates.

Additional resources

• Information Security Standard Exception Request
• Information Asset Classification & Management (University of Oregon Policy Library)
• Systems and Applications Lifecycle Management Standard (Information Security Office)
• Vulnerability Management Standard (Information Security Office)