We have sent out numerous notices related to our recommendations for clients to replace PCs utilizing Microsoft XP predicated on the fact that Microsoft is discontinuing support of the operating system on April 8th 2014. In this case discontinuing support of the XP operating system includes updates, technical assistance, and security patches. Our recommendations to credit unions of potential risks have now been validated as the NCUA and FFIEC have now officially addressed the issue. The NCUA recently sent a letter to credit unions referring to the FFIEC joint statement dated October 7, 2013 alerting credit unions that they be cognizant of the operational risk and take action. The joint statement can be found at: http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf
According to the FFIEC, “The agencies expect financial institutions and TSPs to identify, assess, and manage these risks to ensure that safety, soundness, and the ability to deliver products and services are not compromised.” The statement goes on to say, “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data.”
What does this mean to you? The FFIEC has updated the IT Examination Handbook used by all agencies when performing an IS&T examination. It will be incorporated into the ARIES checklist and will become part of your review in 2014. The examination checklist will require the examiner to evaluate four specific areas if the credit union is running XP on workstations:
- Performing risk assessments: Identify and measure the risk from the continued use of XP throughout the organization and at third parties, including business continuity and disaster recovery situations.
- Selecting appropriate mitigations: Consider costs and potential risks, including compatibility with other systems and applications, in selecting a mitigation strategy.
- Conducting appropriate planning: Develop an implementation plan addressing priorities for changes, ensuring appropriate change management procedures, and monitoring related third parties’ mitigation and migration activities, as warranted.
- Monitoring and reporting: Monitor the risk mitigation implementation to ensure that the level of risk is acceptable. The effectiveness of controls should be tested periodically and results reported to senior management or a committee of the board of directors, as appropriate, to ensure risk continues to be managed.
In essence, the hoops you will need to jump through to maintain PCs utilizing this obsolete operating system will far outweigh the cost of replacement. Not to mention the potential vulnerabilities these PCs could place in your network. We hope that if you have wavered on replacing workstations with XP operating systems that this will be all the ammunition you need when preparing your 2014 budget. Also, be aware of any servers in your network that may belong to other vendors or perform specific tasks outside of the normal workstations and verify with those vendors which operating systems they are currently running.