End-of-life - Systems running vendor-supported software¶
Description¶
Ensure that systems are not running end-of-life, unsuported or unpatchable software.
How we measure it¶
Using the list of installed software on all systems, compare that with an online database like https://endoflife.date/.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | vm_eol_software |
| Category | Vulnerability Management |
| SLO | 90.00% - 95.00% |
| Weight | 0.8 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
| CIS 8.1 | 2.2 | Inventory and Control of Software Assets | Ensure Authorized Software is Currently Supported |
| NIST CSF v2.0 | ID.AM-08 | Asset Management (ID.AM) | ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles |
| Essential8-ML3 | ISM-0304 | Patch applications | Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| Essential8-ML1 | ISM-1704 | Patch applications | Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| Essential8-ML2 | ISM-1704 | Patch applications | Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| Essential8-ML3 | ISM-1704 | Patch applications | Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| Essential8-ML1 | ISM-1905 | Patch applications | Online services that are no longer supported by vendors are removed. |
| Essential8-ML2 | ISM-1905 | Patch applications | Online services that are no longer supported by vendors are removed. |
| Essential8-ML3 | ISM-1905 | Patch applications | Online services that are no longer supported by vendors are removed. |
| Essential8-ML3 | ISM-1407 | Patch operating systems | The latest release, or the previous release, of operating systems are used. |
| Essential8-ML1 | ISM-1501 | Patch operating systems | Operating systems that are no longer supported by vendors are replaced. |
| Essential8-ML2 | ISM-1501 | Patch operating systems | Operating systems that are no longer supported by vendors are replaced. |
| Essential8-ML3 | ISM-1501 | Patch operating systems | Operating systems that are no longer supported by vendors are replaced. |