Finding #11

Description *

Priority (1-4) Category 1 Category 2

Formatted Text *

Running Unsupported VMware with No Access to Security Patches

Severity Level: Priority 1
Category: Infrastructure / Compliance

Description:
The bank operates VMware vSphere 7, which is not end-of-life until April 2, 2027, for general support. However, following Broadcom's acquisition, security patches and updates are restricted to customers with active paid support contracts, costing approximately $5,000 per server. The bank's lack of a valid support contract results in no access to critical security patches, leading to significant examiner concerns and risking audit scores of 3 or 4.

Impact:

Increased security risks from unpatched vulnerabilities due to lack of access to security patches.
Regulatory penalties and poor audit scores due to non-compliance with supported software requirements.
Financial burden from potential fines or forced licensing costs.

FFIEC Reference:

FFIEC IT Examination Handbook (November 2016):

"Software must be licensed and supported to ensure compliance and security." (p. 40)
"Unsupported software increases regulatory and operational risks." (p. 42)

Recommendations:

Initiate Hyper-V Migration: Begin immediate transition to Hyper-V to eliminate licensing and support issues.

Plan Budget: Allocate resources for Hyper-V implementation.

<h2 style="margin: 0in; font-size: 14pt; font-family: Arial, sans-serif; color: rgb(89, 89, 89); letter-spacing: 0.25pt;">Running Unsupported VMware with No Access to Security Patches<o:p></o:p></h2>Severity Level: Priority 1 Category: Infrastructure / Compliance Description: The bank operates VMware vSphere 7, which is not end-of-life until April 2, 2027, for general support. However, following Broadcom's acquisition, security patches and updates are restricted to customers with active paid support contracts, costing approximately $5,000 per server. The bank's lack of a valid support contract results in no access to critical security patches, leading to significant examiner concerns and risking audit scores of 3 or 4. Impact:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Increased security risks from unpatched vulnerabilities due to lack of access to security patches.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Regulatory penalties and poor audit scores due to non-compliance with supported software requirements.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Financial burden from potential fines or forced licensing costs.<o:p></o:p></li></ul>FFIEC Reference:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">FFIEC IT Examination Handbook (November 2016):<o:p></o:p></li><ul type="circle" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">"Software must be licensed and supported to ensure compliance and security." (p. 40)<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">"Unsupported software increases regulatory and operational risks." (p. 42)<o:p></o:p></li></ul></ul>Recommendations:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Initiate Hyper-V Migration: Begin immediate transition to Hyper-V to eliminate licensing and support issues.<o:p></o:p></li></ul>Plan Budget: Allocate resources for Hyper-V implementation.

Back to list