The following article contains guidance explaining portions of the Maintenance Management Policy that we frequently see questions around, explaining what the sections mean.
Guidance statements will appear in bold and enclosed in brackets “[ ]” below the statements of the policy.
Maintenance Management Policy
[COMPANY NAME]
____________________________________________________________________________
Purpose
To ensure that [COMPANY NAME]’s IT resources are maintained in compliance with security policies, standards, and procedures.
Roles and Responsibilities
<ROLES AND RESPONSIBILITIES>
[Please see here for more guidance on roles and responsibilities: https://help.drata.com/en/articles/5829670-roles-and-responsibilities-guidance. For example, “Who is responsible for updating, reviewing, and maintaining this policy?” The statement may become “The CISO is responsible for updating, reviewing, and maintaining this policy.”]
Policy
Controlled Maintenance
[COMPANY NAME] will ensure that maintenance:
Addresses the information security aspects of the information system maintenance program.
Applies to all types of maintenance to any system component conducted by personnel or third party entities.
[COMPANY NAME] will:
Schedule, perform, document, and review records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or requirements conducted by internal or external IT entities.
Approve and monitor all maintenance activities, onsite or remote.
[This statement is saying you will define and develop a schedule for regular maintenance of all IT systems, following manufacturer or vendor guidelines.]
Ensure that system owners explicitly approve the removal of the information system or system components from facilities for off-site maintenance or repairs.
For off-site maintenance or repairs, sanitize equipment to remove all information from associated media prior to removal from [COMPANY NAME] facilities.
[This statement is saying that maintenance work, whether performed onsite or remotely, would need to be approved, monitored, and documented.]
Check all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
Include IT and system owner’s defined maintenance-related information in maintenance records.
[This statement is saying that any maintenance or repair work that would potentially affect security controls would need to be checked to ensure they are still working correctly.]
Include the following information in maintenance records of components not directly associated with information processing (e.g., scanners, copiers, and printers): date and time of maintenance, who performed the maintenance, what maintenance was performed, and what components were replaced or removed including identification/serial numbers as applicable.
[This section is saying that maintenance records should include details defined by authorized personnel (e.g., IT and system owners). The maintenance record is used to track maintenance history and ensures accountability.]
Maintenance Tools
[COMPANY NAME] will ensure that prior to use, maintenance tools such as hardware/software diagnostic test equipment and packet sniffers are approved by system owners or designated members to prevent the transportation of malicious code into a facility and subsequently into organizational information systems.
[COMPANY NAME] will:
Ensure that system owners and appropriate IT personnel approve, control, and monitor information system maintenance tools.
Inspect the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Check media containing diagnostic and test programs for malicious code before the media are used in the information system.
[This section is saying that any maintenance tools you would be utilizing must be approved by the appropriate authority within the organization. Maintenance tools utilized should undergo an approval process by designated key stakeholders. Additionally, the approval process may include an assessment of the tool's potential impact, as well as its compliance with relevant regulations and industry standards.]
Remote Maintenance
[COMPANY NAME] will:
Approve and monitor remote maintenance and diagnostic activities.
Allow the use of remote maintenance and diagnostic tools only as consistent with policy and documented in the security plan for the information system.
Employ strong authenticators in the establishment of remote maintenance and diagnostic sessions.
Maintain records for remote maintenance and diagnostic activities.
Terminate session and network connections when remote maintenance is completed.
Document in the security plan for the information system, the policies and procedures for the establishment and use of remote maintenance and diagnostic connections.
[This section is saying that remote maintenance tools utilized should be pre-approved by the appropriate authorities within the organization. Maintenance tools must be continuously monitored to ensure they are being used correctly and securely.]
Maintenance Personnel
[COMPANY NAME] will:
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel.
Ensure that non-escorted personnel performing maintenance on the information system have required access authorizations.
Designate personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
[This section describes that organizations should maintain an updated roster of authorized maintenance personnel and the individuals must have verified, up-to-date access authorization credentials.]
Timely Maintenance
[COMPANY NAME] will Obtain maintenance support and/or spare parts for information systems as agreed upon within the service level agreement between IT and the system owner.
[System owners should establish a service level agreement (SLA) with IT, documenting the level of maintenance and spare parts support provided. This ensures both parties understand their obligations and expectations for support.]
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|