Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Australia: ASD publishes guide on managing legacy IT risks

On June 12, 2024, the Australian Signals Directorate (ASD) released an updated guide titled 'Managing the Risks of Legacy IT: Practitioner Guidance.' The guide offers practical advice for organizations on mitigating the cybersecurity risks associated with using outdated information technology (IT) systems, also known as legacy IT.

Managing legacy IT throughout its lifecycle

The guide encourages organizations to plan for the depreciation of their IT systems by:

  • communicating the risks of legacy IT to business units, emphasizing impacts on service delivery, productivity, and public confidence;
  • maintaining an accurate register of IT assets and understanding their dependencies;
  • considering the whole lifecycle costs of IT during procurement and planning for eventual replacement; and
  • regularly reviewing the IT environment for systems nearing end-of-life or already depreciated and monitoring critical staff availability.

Temporary mitigation strategies

The guide notes that legacy IT systems pose significant cybersecurity risks, increasing the likelihood and impact of cyber incidents. The guide emphasizes that the best way to manage these risks is to replace outdated systems before they become legacy. For organizations unable to immediately replace legacy IT, the guide suggests several temporary measures including:

  • isolating legacy systems to prevent broader network access;
  • removing default accounts, restricting user privileges, and disabling unnecessary services;
  • implementing multifactor authentication where possible, especially for critical systems;
  • reducing the attack surface by blocking insecure file types and using modern web browsers;
  • increasing monitoring and logging as well as centralizing log storage to detect malicious activity; and
  • restricting legacy system availability to necessary times and monitoring them closely when active.

You can read the guide here.