Division:
Administration and Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Friday, May 9, 2014
Revised Date:
Thursday, October 21, 2021
Authority:
Application Security Standard (ISO Domain 14: Systems Acquisition Standard)
Protections Against Malicious Software Programs (ISO Domain 12: Operations Security Standard)
Objective:
The purpose of this policy is to ensure that university owned endpoints, servers, and network-connected devices, excluding Internet of Things (IOT) devices, are running operating systems which can be updated to address cybersecurity vulnerabilities.
Statement:
Implementation
Responsibility for implementing this policy will rest with the appropriate functional campus areas. The ITS Information Security Office is responsible for periodically auditing the SF State network for outdated operating systems and working with the functional campus areas to put in place risk acceptance documents for assets with non-supported operating systems that must remain on the network for more than 60 days after support ends.
Submit any apparent violation of this policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.
Non-Compliance
Noncompliance with applicable policies may result in suspension of network access privileges. Campus functional areas hosting critical services that cannot be migrated quickly must file a risk acceptance form with the Security Team. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.