Purpose
- To instruct administrators responsible for systems, applications, and services in managing the lifecycle of systems and applications that handle university digital information or connect to the University of Oregon's computing and information resources.
- Requirements identified herein reduce risks to the confidentiality, integrity and availability of university data and systems (“information assets”) and to protect the privacy of members of the University community as classified in the Information Asset Classification and Management Policy. (IV.06.02).
Applies To
This Standard applies to all university systems and applications that handle university information assets, as well as all devices that store, process or transmit University data.
Standard Summary:
Unsupported systems or applications run the risk of being compromised, having sensitive data lost, or becoming an entry point to allow malicious actors to attack other systems and applications on the university infrastructure. These systems SHALL be removed or mitigated to remain active.
Definitions
Standard
- Security updates shall be applied prior to system or application deployment into production and be kept up to date thereafter.
- End of Life applications and systems SHALL be removed from all environments, for example production, testing or development.
- Ensure that systems are running supported operating systems.
- NETWORK ACCESS to unsupported applications and systems MAY BE REMOVED until the application or system is remediated.
- Review and follow the Systems and Applications Lifecycle Management Procedure.
- NOTE: When the life cycle of records, according to the UO Records Retention Schedule, surpasses the life cycle of the software or system needed to read them, it is crucial to ensure continued access to these records. This can be achieved by migrating or exporting the records to another storage location for the duration of the retention period.
Requesting Exceptions
In the event the standard cannot be achieved by reasonable means, you can request an exception by completing the Information Security Standard Exception Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exception request and mitigating controls being put in place to meet the requirement.
Reporting inappropriate use of access
Any user who suspects a violation of the standard should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.
Implementation Guidelines
Guidelines related to the implementation of this standard can be found in the Guidelines Library on the Information Security Office website.
Additional Information
If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at isrc@uoregon.edu.
Additional information can also be found visiting the following resources:
- University Information Security Program Policy
- University Acceptable Use Policy
- University Information Asset Classification & Management Policy
- Systems and Applications Lifecycle Management Procedure
Revision History
| Version | Published | Author | Description |
|---|---|---|---|
| 1.0 | 05/06/2025 | Information Security Office (ISO) | Original publication |
| Status: | Standard |
|---|---|
| Published: | 05/06/2025 |
| Last Reviewed: | |
| Last Updated: |
| Approval Block: | ||
|---|---|---|
| Date Discussed | Date Approved | |
| Information Security and Privacy - Governance Sub-Committee (ISP-GC) | ||
| Chief Information Security Officer | ||