Purpose

This Ruling provides a direction to South Australian (SA) Government agencies on the requirement to maintain supported information technology (IT) products.

Legacy systems present significant cyber security risk to government as they can increase the likelihood and impact of cyber security incidents due to the inability to patch security vulnerabilities.

Scope

The SA Cyber Security Framework (SACSF) applies to all SA Government public sector agencies, including administrative units, bodies corporate, statutory authorities, and instruments of the Crown as per the Public Sector Act 2009.

A SACSF Ruling is a mandatory application of a SACSF Policy Statement. This Ruling relates to the following SACSF Policy Statement:

Ruling

SA Government agencies must ensure all IT products including software, hardware, firmware, systems, applications, and platforms, whether deployed on-premises, cloud-hosted, or in hybrid environments, are actively supported by the manufacturer, vendor or developer. This means:

  • A contract with a manufacturer or vendor, or an appropriately skilled, dedicated internal resource, must be in place to ensure that IT products receive security updates as required, including critical vulnerability patches.
  • The agency must have a clear lifecycle roadmap for IT products, including end of support dates and upgrade or replacement strategies.

Agencies must identify IT products approaching end-of-life (EOL) and:

  • have a documented plan and roadmap to upgrade to a supported version prior to EOL, or
  • have arrangements with a vendor to receive extended security updates, or
  • have a plan to decommission the product prior to it becoming a legacy system.

Legacy systems are any IT product (i.e. hardware, software, services, protocols, and/or systems) that meet one or more criteria in both Category A and Category B below.

Category A:

  • Out of support and extended support from the manufacturer, vendor or developer, or
  • Considered an EOL product.

Category B:

  • Impractical to update or support within the agency, or
  • No longer cost effective, or
  • Considered to be above the current acceptable risk threshold, or
  • Offers diminishing business utility, or
  • Prevents or obstructs fulfillment of the agency’s IT strategies.

Where legacy systems cannot be immediately replaced, agencies must:

  • Ensure that a legitimate business reason for maintaining the legacy system is documented and approved.
  • Have a documented and approved plan in place, including timeframes, to replace or decommission the legacy system.
  • Conduct a security risk assessment that is approved by the business owner of the system and the Agency Security Executive.
  • Implement temporary mitigations as stated in Australian Signals Directorate’s Managing the risks of legacy IT to bring the risk within the agency’s risk appetite. For example:
    • Network isolation - Segregate legacy systems from sensitive networks to reduce exposure.
    • Access restrictions - Limit access to legacy systems to only essential personnel and enforce least privilege and multi-factor authentication.
    • Enhanced monitoring - Apply continuous logging and alerting to detect suspicious activity on legacy systems.
    • Implement attack surface reduction - Remove configuration weakness or minimise the capability and functionality of an application.
    • Schedule system availability and access - If only required for discrete periods, legacy systems should be shut down or closed when not in use to prevent unauthorised access.

Agencies must manage the risks arising from the vulnerabilities presented by legacy systems. The Agency Security Executive and agency IT Security Advisor must be consulted in the assessment and approval of a legitimate business reason for maintaining legacy systems.

Agencies must identify all legacy systems in their environment. The Department of Treasury and Finance (DTF) as the Control Agency for Cyber Crisis may require agencies to disclose legacy systems in their environment in response to a cyber security threat or incident in accordance with responsibilities under PC042 – Cyber Security Incident Management

Exemptions

  • Agencies that have assessed a legacy system as being high risk, and cannot apply the recommended temporary mitigations, must advise the Office of the Chief Information Officer by completing the exemption process.
  • Exemptions must be sought through the Office of the Chief Information Officer exemption process.