An operating system is the backbone of a computer or mobile device. It handles all the communications between the hardware of the device and its environment, including the user interface, the applications, and any peripherals, such as printers and scanners. Operating systems are kept secure and running smoothly by applying patches, fixes, and services packs on a timely basis. Out-of-date operating systems can have vulnerabilities which can be exploited and used to compromise the computer or mobile device.
Similarly, when an operating system reaches its end of life, the manufacturer stops supporting it with the patches, fixes, and service packs necessary to keeping the device secure. At that point, the device and all its data become vulnerable to attack, abuse, and misuse. The compromised device can then have its data lost, the user credentials (username and password) stolen, and the device itself used to perform illegal activities by the attacker.
Because out-of-date operating systems can so be easily exploited, they represent a threat to the University and themselves, and must be upgraded or removed from operation and replaced with updated hardware and operating system software.
In situations where operational requirements do not allow the system to be upgraded, replaced, or retired, an exemption must be requested and steps must be taken to ensure that device does not represent a threat to the University. To address the system’s avenues of attack, this will include NO access to or from the Internet. All exemptions must be approved by the Chief Information Security Officer (CISO). Exemptions are granted based on a justifiable, verifiable business case, including appropriate documentation. Any exemptions that are granted will be for a maximum of one year, and must be reviewed for changing circumstances and must be renewed. Additionally, exemptions are considered on a per-device basis, with one request per device; bulk exemption requests will not be considered.