“Unsupported UNIX Operating System” tickets

A number of you have pending “Unsupported UNIX Operating System” tickets (and consequently “Unsupported Web Server Detection” tickets) that have generated security ticket reminder messages today. Please make sure to address these tickets as soon as possible. Update them with the latest information and any planned actions for remediation/upgrade. Please include a date, or estimated date, you may have the ticket resolved if it isn’t already.

If you do not plan to upgrade the OS please include why and mention any security measures (technical or procedural controls) you have in place to protect the system. It may also be necessary to complete a security intake evaluation form for the system if you plan to keep the system in that state for a length of time.

The intake form and instructions can be found at https://security.ufl.edu/it-workers/risk-assessment/

Per UF security policies, systems are required to stay current. This means using current, vendor supported Operation Systems so that systems can continue to receive vital security patches. Systems not using current OSes are subject to being filtered from the network. In the past you’ve seen this happen with Windows XP and, most recently, with Windows Server 2003. Various Linux, and Unix, flavors that are no longer vendor supported sometimes can continue to be manually patched beyond vendor end-of-life dates. This is why you haven’t currently seen efforts to filter/block these systems from using the network. I believe it is only a matter of time, however, that there is a push to move forward with this (especially if tickets are not addressed in a timely manner).

Finally, it is important to note that the security intake form should be used when any new information system is brought online that is managed differently than other systems that have already been evaluated or that collects, contains, processes, or transfers any type of restricted data. As I’ve mentioned in the past, UF has been trying for years to make this intake/risk assessment process mandatory. It already is mandatory, by policy, in the Academic Health Center (AHC). We have seen various forms of new/updated risk assessment and data classification policies over the last two+ years but none of them, with the exception of the data classification policy, have really made it out of draft status. As a result, UF still operates under the old Risk Assessment Standard published at www.it.ufl.edu/policies/. The security intake form is an attempt to help units maintain compliance to this standard by having Information Security & Compliance evaluate and provide risk mitigation strategy reports for your information systems.