Preventative Maintenance Policy

Version: 1.00Issue Date: 9/29/2015

This Preventative Maintenance Policy ensures that equipment is properly maintained through the organization.

1.0 Overview

This Preventative Maintenance Policy will help ensure that equipment and systems are properly maintained through the organization.

2.0 Purpose

This Preventative Maintenance Policy requires preventative maintenance to be considered during system design.

3.0 Scope

This Preventative Maintenance Policy applies to all systems and equipment in the organization and preventative maintenance must be considered for all projects. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Preventative Maintenance Requirements

  • COBIT requires that all requests for preventative maintenance of hardware is preceded by a formal cost benefit analysis. I disagree with this since the cost of maintenance should be considered at the time of design of systems that will require maintenance. To require a formal cost benefit analysis after the project design phase is like asking for a cost benefit analysis to change the oil on a car every 3000 miles. Any cost benefit analysis should start early in the project lifecycle.
  • There should be a preventative maintenance plan and all components that are critical to business operation must be included in the plan.
  • The preventative maintenance plan must include procedures to ensure that maintenance tasks are performed on schedule.
  • Preventative maintenance must meet requirements and recommendations of hardware vendors and procedures must reflect this.
  • Preventative maintenance tasks must be performed by qualified personnel and be under supervision when applicable and procedures must reflect this.
  • All preventative maintenance tasks must be logged and the log must be kept and checked regularly by management to ensure the tasks were completed and completed properly.
  • Maintanence tasks must include procedures that detail the process so maintenance personnel will know what is required and additional action outside the procedures should not be required. Maintenance personnel should have actions confined to assigned tasks through a combination of monitoring, procedures, and physical and logical access controls.
  • Preventative maintenance procedures must require the use of parts approved by the manufacturer of the equipment they are used in. Any use of other parts must be approved by management and the impact on the manufacturer's warrenty must be determined.

5.0 Maintenance Contracts

  • Maintenance contracts must allow coverage to be adjusted when equipment is modified, added, or removed.
  • When third parties are allowed access to organizational faclities or equipment a formal contract must exist. The formal contract must define security conditions so all organizational security standards and policies are complied with.
  • All maintenance contracts must be monitored so their expiration times are known and renewals may be processed in a timely manner.
  • The information technology department must ensure all maintenance contracts related to or supporting information technology are consistant with the needs of the organization.
  • All maintenance contracts must have a cost benefit analysis done to ensure the cost of the contract is justified over other alternatives such as replacement.
  • Software programs used to maintain or monitor systems must be evaluated to determine their security risk to the system and the organization. The possibility and ways that unauthorized use may occur must be evaluated.

6.0 Utility Programs with Security Issues

  • Utility programs to be used for preventative maintenance must be evaluated to determine their security risk and how easy it would be for security of systems or data to be compromised through unauthorized use. If the software presents security concerns, it must be noted in the software inventory and labeled so users are aware of it.
  • Use of system utilities with security concerns must have their use logged. The log integrity must be assured. The use of the utilities must be monitored when security concerns warrant it.
  • Procedures for monitoring and being sure use of utilities with security concerns must exist and be used. The procedures must provide for authorization of use of the utilities.
  • Training must be provided for operators of maintenance utilities with security concerns so the operators are aware of risks and proper use of the program.

7.0 Enforcement

Since following the Preventative Maintenance Policy is important for the stability of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

8.0 Other Policies

  • Development Life Cycle Policy

9.0 Additional Requirements

  • Organizational preventative maintenance plan
  • Procedures to ensure that maintenance tasks are performed on schedule.


Approved by:__________________________ Signature:_____________________ Date:_______________