Australian Government Architecture
Search

Type

Design

Reference

Applicable from

20 May 2024

Mandate

Endorsed

Status

Core

Responsible agency

Australian Signals Directorate

Reuse category

Guidance

Managing the risks of legacy ICT: practitioner guidance

Direct link: www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/legacy-it-management/managing-the-risks-of-legacy-it-practitioner-guidance
Responsible agency: Australian Signals Directorate
Last updated: 11 June 2024

Legacy IT is defined in the Department of Home Affairs’ Protective Security Policy Framework (PSPF) as an IT product (i.e. hardware, software, services, protocols, and/or systems) that is considered end-of-life or out of support, as well as either:

  • impractical to update or support internally
  • no longer cost-effective
  • above the current acceptable risk threshold 
  • diminishing business utility 
  • no longer aligned or being obstructive to entity’s ICT strategies.

Legacy information technology (IT) presents significant and enduring risks to the cyber security posture of Australian Government entities and organisations. Its presence can increase the risk of a cyber security incident and make any cyber security incident that does occur much more impactful. 

This publication provides guidance for organisations on mitigating the risks posed by legacy IT within their IT environments. It also sets out low-cost mitigations for legacy IT that organisations can draw upon, in addition to their own strategies. However, the mitigations suggested in this document provide only temporary risk reduction. 

While this guidance is primarily intended for Australian Government entities, it can be used by any organisation to manage the risks of legacy IT within their IT environments.

All organisations should strive to implement a clear strategy for managing legacy IT now and into the future, by:

  • facilitating good communication with their stakeholders
  • having a good understanding of their IT environment
  • consider future depreciation as part of their IT procurement 
  • continuously monitoring depreciation across IT environment
  • replacing legacy IT incrementally or, if not feasible, plan for temporary mitigations.

This guidance should be read in conjunction with other guidance from the Australian Signals Directorate (ASD), including: 

  • End of Support for Microsoft Windows and Microsoft Windows Server
  • Gateway Security Guidance Package: Gateway Operations and Management 
  • Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016
  • Implementing Multi-Factor Authentication
  • Information Security Manual
  • Mergers, Acquisitions and Machinery of Government Changes.

Capabilities

This design is part of the following capability.
CAP47

IT Service Management

Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.