Control: The organization develops, disseminates and periodically reviews/updates:
Control Enhancements: None.
Control Recommendations:
Low: MA-1
Moderate: MA-1
High: MA-1
Control: The organization schedules, performs and documents routine preventive and regular maintenance on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements.
Supplemental Guidance: Appropriate organizational officials approve the removal of the information system or information system components from the facility when repairs are necessary. If the information system or component of the system requires off-site repair, the organization removes all information from associated media using approved procedures. After maintenance is performed on the information system, the organization checks the security features to ensure that they are still functioning properly.
Control Enhancements:
(1) The organization maintains a maintenance log for the information system that includes:
(2) The organization employs automated mechanisms to ensure that:
Control Recommendations:
Low: MA-2
Moderate: MA-2 (1)
High: MA-2 (1) (2)
Control: The organization approves, controls and monitors the use of information system maintenance tools and maintains the tools on an ongoing basis.
Supplemental Guidance: None.
Control Enhancements:
(1) The organization inspects all maintenance tools (e.g., diagnostic and test equipment) carried into a facility by maintenance personnel for obvious improper modifications.
(2) The organization checks all media containing diagnostic test programs (e.g., software or firmware used for system maintenance or diagnostics) for malicious code before the media are used in the information system.
(3) The organization checks all maintenance equipment with the capability of retaining information to ensure that no organizational information is written on the equipment or the equipment is appropriately sanitized before release. If the equipment cannot be sanitized, it remains within the facility or is destroyed, unless an appropriate organization official explicitly authorizes an exception.
(4) The organization employs automated mechanisms to ensure that only authorized personnel use maintenance tools.
Control Recommendations:
Low: Not Selected
Moderate: MA-3
High: MA-3 (1) (2) (3)
Control: The organization approves, controls and monitors remotely executed maintenance and diagnostic activities.
Supplemental Guidance: The organization describes the use of remote diagnostic tools in the security plan for the information system. The organization maintains maintenance logs for all remote maintenance, diagnostic and service activities. Appropriate organization officials periodically review maintenance logs. Other techniques to consider for improving the security of remote maintenance include:
When remote maintenance is completed, the organization (or information system in certain cases) terminates all sessions and remote connections. If a non-University employee uses password-based authentication during remote maintenance, the organization changes the passwords following each remote maintenance service. For high-impact information systems, if remote diagnostic or maintenance services are required from a service or organization that does not implement for its own information system the same level of security as that implemented on the system being serviced, the system being serviced is sanitized and physically separated from other information systems before the connection of the remote access line. If the information system cannot be sanitized (e.g., due to a system failure), remote maintenance is not allowed.
Control Enhancements:
(1) The organization audits all remote maintenance sessions.
(2) The organization audits all remote maintenance sessions, and appropriate organizational personnel review the audit logs of the remote sessions.
(3) The organization addresses the installation and use of remote diagnostic links in the security plan for the information system.
(4) Remote diagnostic or maintenance services are acceptable if performed by a service or an organization that implements for its own information system the same level of security as that implemented on the information system being serviced.
Control Recommendations:
Low: MA-4
Moderate: MA-4 (1)
High: MA-4 (2) (3) (4)
Control: The organization maintains a list of University personnel, vendors or contractors authorized to perform maintenance on the information system. Only authorized University personnel, vendors or contractors perform maintenance on the information system.
Supplemental Guidance: Maintenance personnel have appropriate access authorizations to the information system when maintenance activities allow access to organizational information. When maintenance personnel do not have needed access authorizations, organizational personnel with appropriate access authorizations supervise maintenance personnel during the performance of maintenance activities on the information system.
Control Enhancements:
(1) The organization maintains a list of individual vendor or contractor personnel authorized to perform maintenance on the information system.
Control Recommendations:
Low: MA-5
Moderate: MA-5
High: MA-5 (1)
Control: The organization obtains maintenance support and/or sufficient spare parts to meet business availability requirements.
Supplemental Guidance: None
Control Enhancements: None
Control Recommendations:
Low: Not Selected
Moderate: MA-6
High: MA-6
Content reviewed on July 3, 2006 by Jeff Webster
Page last modified
July 17, 2006
by cawalker