Menu
ABA Banking Journal Home
Menu

FFIEC issues guidance on discontinuation of Windows XP support

Operational risks should be identified, assessed, and managed

FFIEC issues guidance on discontinuation of Windows XP support

The Federal Financial Institutions Examination Council issued a joint statement concerning Microsoft’s discontinuation of support for its Windows XP operating system as of April 8, 2014.

The FFIEC agencies expect financial institutions and their technology service providers to identify, assess, and manage the potential operational risks associated with the discontinuation of XP support to ensure that safety and soundness and the ability to deliver products and services are not compromised.

The statement is available online at http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf and is reprinted below:

Joint Statement: End of Microsoft support for Windows XP operating system

Purpose:

The Federal Financial Institutions Examination Council (FFIEC) agencies (Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, State Liaison Committee) are jointly issuing this statement to alert financial institutions that the discontinuation of support for the Microsoft Windows XP operating system (XP) could present operational risks to financial institutions, technology service providers (TSPs), and to activities supported by other third parties. The agencies expect financial institutions and TSPs to identify, assess, and manage these risks to ensure that safety, soundness, and the ability to deliver products and services are not compromised.

Background:

Microsoft will discontinue extended support for XP effective April 8, 2014. After this date, Microsoft will no longer provide regular security patches, technical assistance, or support for XP. Financial institutions, TSPs, and other third parties that use XP in personal computers, servers, and purpose-built devices such as automated teller machines (ATM), or that are dependent on applications that require use of XP could be exposed to increased operational risk.

Potential problems:

Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data. Additionally, financial institutions and TSPs that are subject to the requirements of the Payment Card Industry Data Security Standard (PCIDSS) and continue to use XP after April 8, 2014, may no longer be compliant.

Regulatory guidance:

Financial institutions and TSPs that use XP should follow their risk management processes to address the risk from the continued use of XP, consistent with the risk management guidance contained in the FFIEC Information Technology (IT) Examination Handbook.

Important considerations include:

  • Performing risk assessments: Identify and measure the risk from the continued use ofXP throughout the organization and at third parties, including business continuity anddisaster recovery situations.
  • Selecting appropriate mitigations: Consider costs and potential risks, includingcompatibility with other systems and applications, in selecting a mitigation strategy. (Broad mitigation options include replacing XP with a current operating system or maintaining XP over time.)
  • Conducting appropriate planning: Develop an implementation plan addressingpriorities for changes, ensuring appropriate change management procedures, andmonitoring related third parties’ mitigation and migration activities, as warranted. (For further information and guidance, see the “Operations” booklet of the FFIEC IT Examination Handbook at http://ithandbook.ffiec.gov/.)
  • Monitoring and reporting: Monitor the risk mitigation implementation to ensure thatthe level of risk is acceptable. The effectiveness of controls should be testedperiodically and results reported to senior management or a committee of the board ofdirectors, as appropriate, to ensure risk continues to be managed.

The latter option potentially includes implementing controls designed to provide additional monitoring for XP-supported systems and devices, protecting XP from threat sources, and isolating XP from the remainder of the network.

John Ginovsky

John Ginovsky is a contributing editor of ABA Banking Journal and editor of the publication’s TechTopics e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each TechTopics issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and was managing editor and staff reporter for ABA’s Bankers News. Email him at jginovsky@sbpub.com.

back to top

Sections

About Us

Connect With Us

Resources