KUMC Supported Software Policy
This policy establishes specific requirements for the use of software at the University of Kansas Medical Center (KUMC) to support the organization's goals of caring, healing, teaching and discovering. This policy states KUMC’s direction in regards to maintaining an up-to-date software portfolio while also reducing the cost and risk inherent in managing or allowing unsupported software products to exist within the computing and networking environments.
The term unsupported refers to software for which there are no longer commercial or vendor support options or software that relies on other unsupported applications or components.
This policy applies to all users of software resources owned or managed by KUMC. Individuals covered by the policy include (but are not limited to) all KUMC employees (faculty, staff, student employees and residents) and other covered individuals (e.g., affiliates, vendors, independent contractors, partners, guests, visitors of any kind, etc.) accessing computing, network or data resources or services via KUMC’s computing facilities.
This policy also applies to software administered by individual departments, units, divisions, centers, locations, campuses, or shared services and is applicable to KUMC owned computers and devices, connected by wire or wireless to the KUMC network or Internet, and to computers and devices that connect remotely to the KUMC network.
The following are outside the scope of the current policy:
- custom-built applications (but the underlying technology software platforms remain in scope)
- any product whose version has been mandated by law or regulation state or federal law or regulation, or by State of Kansas or Board of Regents Policy.
To ensure the delivery of reliable, low risk, and cost effective services, KUMC must eliminate unauthorized instances of unsupported software. KUMC bears the risk associated with running unsupported software.
These risks can include:
- increased cost to maintain a software asset
- lack of agility resulting from its inability to align with changes in business requirements
- limited capacity to integrate with up-to-date and cost competitive technologies
- scarcity of skilled labor to maintain unsupported technologies
- human error and increased mistakes and resulting costs from supporting the complexity of many versions or competing/complimentary versions
- easily identifiable software with known vulnerabilities and often automated compromise tools exposing the platform or system and associated data to easy exploitation
KUMC requires that individual departments, units, divisions, centers, locations, campuses, regions or shared services include software versioning as an integral part of their technology plan. The plan should consider at minimum a three-year horizon to coincide with their budget cycle and establish a plan and budget for upgrading software before it goes out of support and becomes high risk (i.e. security risk, disruption from loss of service, etc.).
Vendors commonly announce software product end of support dates years in advance. Unlike the standard and included mainstream support that is provided when a product is released and current, typically only security and reliability patches are available during the extended support periods. No feature enhancements, architectural changes or warranties such as application backward compatibility, or new device drivers are offered once a product has gone out of mainstream standard support.
For the purposes of this policy, software for which the vendor or community does not publish support dates is considered out of support three years after being initially published.
Retirement or replacement must be completed before software is out of support. Out of support systems pose a significant liability and a threat to KUMC. More specifically, out of support software:
- no longer receives original manufacturer security updates that help protect KUMC systems from harmful viruses, spyware, and other malicious software that can damage or steal KUMC data
- present threats to interconnected KUMC systems and data
- may not be compatible with current standards and infrastructure
In software versioning, the current release version is known as N and the prior major version of the software as N-1. Older versions of software are labelled as N-2, N-3, etc. For the purposes of this policy, N means the version of software designated and approved by KUMC, as the current standard for deployment. For a list of the current software standards and related versions, please see the IR intranet website.
N-1 is one release prior to the above described, designated, or approved software version. N-2 is two or more releases prior to the above described, designated, or approved software version. Conversely, N+1 is any version level released by a manufacturer (in production or beta state) after the above-described N version.
N-1 should have at least 12 months remaining before being designated end of support or unsupported. Software that becomes version N-2 or greater or is eligible for refresh must be updated, replaced, or discontinued within 12 months. If a refresh is not possible for technical or business reasons, an exception must be formally requested through the Office of Information Security with statements and documentation that address the impact(s) on business need, cost, risk, and security.
Early adoption of an N+1 release requires an exception to be requested from Information Security and approved by Information Security and Information Resources prior to production use, to ensure that it can be managed and maintained by KUMC.
If mainstream support cannot be determined, then software must be maintained no more than two (2) major versions behind the latest release (e.g. N-2), or within three (3) years of the general availability of a new release, whichever occurs sooner.
There is generally a gap between the latest current vendor software release and its designation by KUMC as version N. This time allows for additional software testing, stability, and preparedness by KUMC for the upgrade.
Reporting Policy Violations
Users must exercise their best judgment in adherence with this and other KUMC policies and standards to determine acceptable use. Any questions or additional reporting measures should be directed to the Chief Information Security Officer or designee.
Individuals found to be in violation of this policy, shall be subject to disciplinary action including restriction, possible loss of privileges, suspension, termination or prosecution under applicable statutes.
Associate Vice Chancellor for Information Security
firstname.lastname@example.org, or 913-588-3333
Software Currency/Versioning – the practice of maintaining the latest software for the deployed solution.
End of Support – the vendor no longer provides fixes, updates, or other technical assistance. Without vendor support, the software will no longer receive security updates.
Extended Support – the period of time after end of support when the vendor may or may not offer addition software maintenance support at a cost for a period of time typically between one (1) and five (5) years.
Mainstream Standard Support – the period of time during which a vendor product is available for general release and receives warranty support, security and non-security updates.
Out of Support Software – software that is no longer supported by software vendors except through customized or ad hoc support on a critical need only basis and for a fee. Vendors typically provide three (3) years or more of warning before the actual out of support date.
Refresh – agency mechanism of updating software for currency. It is triggered by moving the version N to the next release.
Software – code that instructs a compute device on what to do. This includes, but is not limited to, applications, firmware, operating systems, and programming languages.
Unsupported Software – refers to software for which there are no longer commercial, vendor, or in-house support options, or software that relies on other unsupported applications or components.
Communities – This will be equivalent to vendor(s) for the purposes of open source software and related components.