Windows End-of-Life: Will You Remain Compliant?

Microsoft has ended support for its Windows 7 and Windows Server 2008 operating systems. Now that Windows 7 and Server 2008 have reached the end of their support lifecycles, Microsoft will no longer provide free security updates on-premises, non-security updates, free support options or online technical content updates. What this means in practical terms is your Windows 7 and Server 2008 instances may continue to function much as before, but you are introducing security, compatibility, compliance and support risks to your organisation by keeping them in place.

As we explained in our recent blog post, this isn’t some overblown millennium bug-style scare story; we don’t expect your infrastructure to collapse in on itself if you continue to host Windows 7 and Server 2008 instances. What we do expect, however, is your organisation to drift into hidden exposure and a risk that you may have overlooked: compliance.

In the highly risk averse, compliance heavy industries in which we operate, certifications enable organisations to demonstrate to clients and regulatory bodies that they operate to best practice standards. But what is the impact on your organisation’s compliance standards if you retain instances of Windows 7 or Server 2008 within your infrastructure? In this blog post we’ll explore the implications and offer a route to a robust, holistic cyber security and compliance posture that will enable your organisation to meet the commercial and operational challenges it faces as we enter this new decade. You will establish by reading this blog post that, no matter what compliance framework you are adhering to, a thoughtful plan is required to mitigate risk.

Windows End-of-Life: Will You Remain Compliant?

If your organisation is anything like ours, you will most likely engage in a continual cycle of compliance assessments to ensure you continue to operate to best practice standards. At Six Degrees we deliver these assessments to our clients through our Cyber Security & Compliance services, enabling our clients to identify and address the security risks they face. Here’s what our experienced cyber security consultants had to say about the impact of retaining Windows 7 or Server 2008 instances on your organisation’s compliance standards.

• ISO/IEC 27001:2013. Although ISO 27001 does not state which operating systems or platforms an organisation should be using, it does provide a framework for identifying risks and opportunities and contain a series of security controls (Annex A) that help organisations address risks. A key element of any information security management system (ISMS) is continual improvement of controls when reviewing the ever changing risk landscape. Organisations will need to demonstrate they have identified, within their risk assessment process, the threats associated with an operating system or platform that will no longer receive critical vulnerability updates. An auditor will have concerns if they find Windows 7 or Server 2008 (or even older) instances within the network, unless the risks are identified and steps are being taken to address them within an appropriate timeframe. Again, Annex A controls are available to help ensure that any upgrades to these systems are conducted with a security focus.
• PCI. If any Windows 7 or Server 2008 instances are in use within the Cardholder Data Environment (CDE), the organisation will be noncompliant with Requirement 6.2, which dictates that critical software patches are applied within one month of release. If the organisation conducts an Approved Scanning Vendor (ASV) scan as part of Requirement 11.2, which applies to anyone who needs full compliance or specific Self-Assessment Questionnaires (SAQ), this too will fail to pass as the software will be declared unsupported.
• GDPR. The Information Commissioner’s Office (ICO) has begun baring its teeth when it comes to punishments for GDPR data breaches – in a high profile incident, the ICO announced its intention to issue a £183 million fine to British Airways following a massive data breach in 2018. If your unpatched Windows 7 or Server 2008 instances are compromised and a data breach occurs, there is the potential for an increased fine if this is identified by the ICO following its subsequent investigations.
• SOC 2. SOC 2 compliance, a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform, ensures systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data. Achieving SOC 2 compliance is reliant on systems being patched and supported; any Windows 7 or Server 2008 instances would be seen as unsupported technologies, which would result in an exception in your report.
• NIST Cybersecurity Framework. The NIST Cybersecurity Framework second function is called ‘Protect’. This is the function that covers whether your organisation’s environment has “sufficient protection”. Windows 7 and Server 2008 instances are seen as an increased risk according to the Framework, which maps to a number of cyber security standards including ISO 27001, NIST SP 800-53, ISA 62443 and COBIT 5.

Next Steps to Ensure Compliance

If your organisation needs to remain compliant with best practice certifications and standards, you should address any Windows 7 or Server 2008 instances that reside in your environment before your next audit. Six Degrees will deliver a free professional services assessment that will identify your migration options whilst reviewing your current environment. Get ahead of the regulators and protect your organisation from data breach – prevention is always, always better than cure.