Over a year ago, Safe Systems began its initiative to prepare financial institution clients for the end of support for Windows XP on April 8, 2014. In early April 2013, we were managing 8,788 Windows XP devices and our most recent numbers show 2,886 remaining. Our professional services team has helped clients replace thousands of these devices and as the numbers show, significant progress has been made. However, there is still work to be done to upgrade these remaining workstations and now on the cusp of completing XP replacements, you should also begin preparations to replace any remaining servers that are running Microsoft Server 2003. Microsoft will be ending support for Server 2003 on July 14, 2015 and currently we have 866 servers across our client base.
As a reminder, end of support means Microsoft will no longer provide security updates or technical support for these operating systems. The discontinuation of security updates is the most notable change. It effectively means Microsoft will no longer patch vulnerabilities exploited by malware, which leaves these devices susceptible to attack. In addition, the inability to receive paid support could leave you in a precarious situation if a device has downtime and it provides a critical function.
The FFIEC release a joint statement on October 7, 2013 regarding end of support for Windows XP and although not specific to Server 2003 it can be applied to both. In this statement, the FFIEC wrote: “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized addition deletions, and changes of data. Additionally, financial institutions and Technology Service Providers that are subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and continue to use XP after April 8, 2014, may no longer be compliant.”
The statement goes on to reference the risk management guidance documented in the FFIEC IT Examination Handbook which recommend you should perform a risk assessment, select appropriate mitigations, conduct appropriate planning, and ongoing monitoring/reporting of the effectiveness of such controls reported to Senior Management or Board of Directors. Although the FFIEC doesn’t explicitly say replace these devices, you can effectively read between the lines and come to the conclusion that the risk is too great not to. You can review the entire statement at the following URL: http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf.
Here are some things to keep in mind when replacing these legacy Operation Systems (OS):
- Don’t forget about your ATM machines as these are typically Windows workstation OS and more than likely you have some Windows XP devices. These are seemingly “out of sight out of mind” but an important part of your banking services.
- Regarding Server OS, you have a choice to go with Server 2008 or Server 2012. This is largely dependent on whether your banking core processor is supporting 2012. Server 2008 has extended support available through January 14, 2020 so if your banking applications are not supported there is plenty of time remaining for Server 2008. Also, consider that the average lifecycle for a server is four years so you will likely need to replace the server prior to the end of its support date. Regarding workstation OS, you have a choice to go with Windows 7 or Windows 8.1. This is largely dependent on whether your banking core processor is supporting 8.1. But similar to Server 2012, Windows 7 has extended support available through January 14, 2020 so if your banking applications are not supported there is plenty of time remaining for Windows 7. Also, keep in mind that the average life cycle for a workstation is three years so you will likely need to replace the workstation prior to the end of its support date.
- It is never too early to start planning for Server 2003 replacements and certainly do not underestimate this process. Depending on the server in question, you could compare a server replacement to heart surgery as it requires additional preparation and is the cornerstone to so many important aspects of your banking operations. Don’t procrastinate!
Lastly, feel free to reach out to Safe Systems and leverage our more than 20 years of professional services experience to make this a smooth transition. Keep in mind our implementation calendar is first come first serve, so be sure that if you would like our experts to facilitate this process, to contact us well in advance. At times, our installation calendar has been sold out several weeks in advance. If you do decide to leverage our team, our Technical Solutions department can help identify your business needs, align the appropriate technology and develop a plan that will minimize business interruptions. From there, our Project Management and Engineering teams will develop a detailed project plan and execute that while minimizing any business interruptions. This gives you the flexibility to focus on running your business of banking and depending on us as your technology partner to upgrade your key technologies.