Direct link: www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/legacy-it-management/managing-risks-legacy-it-executive-guidance
Responsible agency: Australian Signals Directorate
Last updated: 12 June 2024
Legacy ICT is defined in the Department of Home Affairs’ Protective Security Policy Framework (PSPF) as a collection of ICT (i.e. hardware, software, services, protocols, and/or systems) that are considered end-of-life or out of support, as well as either:
- impractical to update or support internally
- no longer cost-effective
- above the current acceptable risk threshold
- diminishing business utility
- no longer aligned or being obstructive to entity’s ICT strategies.
This publication provides guidance for organisations on mitigating the risks posed by legacy ICT within their ICT environments, as their presence have been linked to increased risk of cyber security incidents.
It also sets out low-cost mitigations for legacy ICT that organisations can draw upon, in addition to their own strategies. However, the mitigations suggested in this document provide only temporary risk reduction. It is therefore very important that all organisations should strive to implement a clear strategy for managing legacy ICT now and into the future, i.e. across the whole ICT lifecycle.
While this guidance is primarily intended for Australian Government entities, it can be used by any organisation to manage the risks of legacy ICT within their ICT environments.
This guidance should be read alongside with other technical guidance from the Australian Signals Directorate (ASD), including:
- End of Support for Microsoft Windows and Microsoft Windows Server
- Gateway Security Guidance Package: Gateway Operations and Management
- Information Security Manual
- Mergers, Acquisitions and Machinery of Government Changes
- Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016
- Implementing Multi-Factor Authentication.