Maintenance Controls(from NIST)
This maintenance control list and description are meant to tie maintenance controls to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- System maintenance policy and procedures - The organization develops and keeps current policies and procedures regarding maintenance of various components of their computer systems and information technology infrastructure. This control in intended to ensure that maintenance of systems or the tools used are not used to compromise the system or data. The policies and procedures should document roles, responsibilies, scope, and compliance controls to ensure the policy is followed. The policies may specify how maintenance is securely done both locally and remotely. It may require additional security controls for remote maintenance. (low)
- Periodic maintenance - Regular maintenance of the computer system components is performed including hardware replacements or upgrades, operating system patches, BIOS patches, and patches or upgrades to applications. Manufacturer and vendor requirements should be adhered to. A maintenance log for all equipment and software should be maintained. (low)
- Maintenance tools - Maintenance tools may include diagnostic programs or other diagnostic equipment. All media and tools used should be inspected for malicious code or functionality on a periodic basis. There should be no storage of confidential information from the organization on the maintenance tools. (moderate)
- Remote maintenance - The use of remote maintenance tools is monitored and controlled and maintenance logs are kept which are periodically reviewed. Enhancements to improve security of remote maintenance may include stronger authentication techniques, encryption of data sent between the system and the maintenance tool, and termination of all remote sessions and connections when remote maintenance is complete. (low)
- Maintenance personnel - A list of maintenance personnel authorized to perform maintanence on each system is kept updated. (low)
- Timely maintenance - Spare parts are kept for critical components and repairs are made quickly. (moderate)