Legacy System Risk Assessment

A legacy system risk assessment is a formal process of identifying and evaluating the security dangers posed by outdated hardware or software. It specifically focuses on systems that no longer receive support or lack automatic patching capabilities, determining the likelihood and impact of those vulnerabilities being exploited.

To assess the risk, organizations should evaluate the sensitivity of the data the system handles, its connectivity to the internet or other internal networks, and the severity of its known vulnerabilities. This helps quantify the potential impact of a breach versus the operational cost of replacing the system.

A legacy system should be replaced when the cost of implementing and maintaining compensating controls exceeds the cost of a new system, or when the residual risk remains unacceptably high. Systems handling highly sensitive data or those exposed directly to the internet should almost always be prioritized for replacement.

Acceptable compensating controls for unpatchable systems include strict network segmentation, placing the system behind dedicated internal firewalls, removing internet access, enforcing multi-factor authentication for access, and utilizing enhanced monitoring to detect anomalous behavior.

Organizations should reassess risk for legacy systems at least annually. A reassessment should also be triggered whenever a new critical vulnerability is discovered in the legacy system or when there are major changes to the network architecture.

Risk register entries for legacy systems should clearly identify the asset, the specific vulnerability (e.g., incapable of automatic patching), the inherent risk score, the compensating controls applied, the residual risk score, and the designated risk owner responsible for the asset. Tools like WatchDog Security's Risk Register can help maintain consistent fields, approvals, and review cadences so exceptions don’t become permanent technical debt.

Auditors expect a formal patch management exception process that includes a completed risk assessment report, active risk register entries, and technical evidence demonstrating that compensating controls (like network isolation) are functioning as intended. Tools like WatchDog Security's Compliance Center can help organize those artifacts by control and track evidence collection status over time.

Network segmentation for legacy systems involves moving the vulnerable assets into their own restricted network zone. This prevents an attacker who successfully compromises the unpatchable system from moving laterally to access the organization's broader network or sensitive databases.

Under CyberSecure Canada Section 5.2.2.3, the organization shall perform a risk assessment to determine whether to replace systems incapable of automatic patching. This ensures business leaders actively decide on replacing the system or accepting and mitigating the associated risks.

Prioritize legacy system replacement by analyzing the risk register to identify the systems with the highest residual risk scores. Focus first on systems that are internet-facing, process sensitive customer data, or lack adequate compensating controls.

Legacy systems that can’t auto-patch often require an explicit exception process so the business can decide to replace, isolate, or accept the residual risk. Tools like WatchDog Security's Risk Register can help document each exception with risk scoring, a named risk owner, compensating controls, a treatment plan (replace vs mitigate), and a scheduled review date for ongoing governance.

Audit-ready evidence typically includes the risk assessment report, the decision rationale (replace vs mitigate), approvals, and proof that compensating controls are operating. Tools like WatchDog Security's Compliance Center can help link those artifacts and evidence checks directly to CSC-05-007, track gaps, and simplify auditor requests by keeping evidence organized by control.