Who has a Legal Obligation to Upgrade Windows XP, Office 2003 and Exchange 2003?

We have covered in this blog and in mail notifications to our Alvaka clients the important virtues of upgrading the end-of-life Windows XP operating system, Office 2003 and Exchange 2003.  For many companies the upgrade is an important and prudent migration to new software that will still get security updates.  But there is another class of users that is compelled to make these upgrades by virtue of regulatory compliance.  Those classes of users are involved in national security and law enforcement (ITAR), healthcare (HIPAA & HITECH), and financial services (GLBA) to name a few.

 The best source of information covering this requirement comes from NIST, the National Institute for Standards and Technology.  They have a set of documents that are the standards for many requirements.  There is nothing specific in the NIST guidelines about the end of life for Windows XP, however, the need to provide Flaw Remediation is clear and that is what the XP, Office 2003 and Exchange 2003 support requirements fall under.

 For example, NIST Special Publication (SP) 800-531 requires the SI-2, Flaw Remediation security control, which includes installing security-relevant software and firmware patches, testing patches before installing them, and incorporating patches into the organization’s configuration management processes.

 Please see below for the 2 specific excerpts - Special Publication 800-53, Revision 3.




Control: The organization:

a.        Identifies, reports, and corrects information system flaws;

b.       Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation; and

c.        Incorporates flaw remediation into the organizational configuration management process.

Supplemental Guidance: The organization identifies information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and reports this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). The organization (including any contractor to the organization) promptly installs security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. Organizations are encouraged to use resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By requiring that flaw remediation be incorporated into the organizational configuration management process, it is the intent of this control that required/anticipated remediation actions are tracked and verified. An example of expected flaw remediation that would be so verified is whether the procedures contained in USAPPENDIX

CERT guidance and Information Assurance Vulnerability Alerts have been accomplished. Related controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11.

Control Enhancements:

(1)    The organization centrally manages the flaw remediation process and installs software updates automatically.

Enhancement Supplemental Guidance: Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

(2)   The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.

(3)  The organization measures the time between flaw identification and flaw remediation, comparing with [Assignment: organization-defined benchmarks].

(4)  The organization employs automated patch management tools to facilitate flaw remediation to [Assignment: organization-defined information system components].

References: NIST Special Publication 800-40.



Control: The organization:

a.       Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code:

-Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or

-Inserted through the exploitation of information system vulnerabilities;

b.      Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures;

c.       Configures malicious code protection mechanisms to:

-Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and

-[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and

d.      Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode) or contained within a compressed file. Removable media includes, for example, USB devices, diskettes, or compact disks. A variety of technologies and methods exist to limit or eliminate the effects of malicious code attacks. Pervasive configuration management and strong software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions and business functions. Traditional malicious code protection mechanisms are not built to detect such code. In these situations, organizations must rely instead on other risk mitigation measures to include, for example, secure coding practices, trusted procurement processes, configuration management and control, and monitoring practices to help ensure that software does not perform functions other than those intended. Related controls: SA-4, SA-8, SA-12, SA-13, SI-4, SI-7.

Control Enhancements:

(1)     The organization centrally manages malicious code protection mechanisms.

(2)     The information system automatically updates malicious code protection mechanisms (including signature definitions).

(3)     The information system prevents non-privileged users from circumventing malicious code protection capabilities.

(4)     The information system updates malicious code protection mechanisms only when directed by a privileged user.

(5)     The organization does not allow users to introduce removable media into the information system.

(6)     The organization tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.

References: NIST Special Publication 800-83.

I would like to give a special note of recognition and thanks to Alvaka Networks consultant Albert Lee for compiling this information.

If you have XP, Office 2003 or Exchange 2003 I suggest you upgrade. Alvaka does not sell hardware or software so there is no direct benefit in us suggesting you upgrade. Running old and unsupported software can be risky in many ways. For more information about the Support Lifecycle for these Office versions, visit the Microsoft Support lifecycle web page.

Alvaka Networks is available for IT consulting and support services to our clients and prospective clients in southern California and elsewhere. Our consultants can be dispatched from Irvine, Long Beach, Orange, Tustin, Chatsworth, Pasadena, Lake Forest, Murrieta and many other cities. We can help you create a migration plan and budget that is based upon our standard methodology, but customized to fit your needs. Whether you need Network Monitoring, Backup and disaster recovery systems, IT service and support, penetration tests and vulnerability assessments, Alvaka Networks is ready to serve you.  We are staffed by live support personnel 24x7x365 in our Irvine HQ.

Need help or some advice, e-mail toli@alvaka.net or give me a call at 949 428-5000 extension 213