MAINTENANCE POLICY

 

 

Policy: Maintenance
Policy Owner: CIO
Change Management
Original Implementation Date: 8/30/2017
Effective Date: 8/30/2017
Revision Date:
Approved By:
Crosswalk
NIST Cyber Security Framework (CSF) PR.MA
NIST SP 800-53Security Controls MA-2, MA-3, MA-4, MA-5, MA-6
NIST SP 800-171Protecting Controlled UnclassifiedInformation 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6
Center for Internet Security Critical Security Control 5, 8, 11, 12
Payment Card Industry DataSecurity Standard (PCI DSS) v3.2
Procedure Mapping

PURPOSE

 

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

 

POLICY

 

Pomona College performs maintenance on the Pomona College system, system components and any assets providing security functionality to the system and its components. Proper maintenance is essential to the performance and availability of the Pomona College system.

 

ASSET MAINTENANCE

 

v Pomona College:

 

Ø Schedules, performs, documents, and reviews records of maintenance and repairs on the Pomona

 

College system’s components in accordance with manufacturer or vendor specifications and/or

 

organizational requirements

 

Ø Approves and monitors all maintenance activities, whether performed on site or remotely and

 

whether the equipment is serviced on site or removed to another location

 

Ø Requires that the Security Official, or designee, explicitly approve the removal of the system or

 

system components from Pomona College facilities for off-site maintenance or repairs

 

Ø Checks all potentially impacted security controls to verify that the controls are still functioning

 

properly following maintenance or repair actions

 

Ø Includes the following in Pomona College maintenance records:

 

§ Date and time of maintenance

 

§ Name of individuals or groups performing the maintenance

 

§ Name of escort, if necessary

 

§ A description of the maintenance performed

 

§ System components/equipment removed or replaced

 

Including the identification number, if applicable

 

v Pomona College approves, controls, and monitors system maintenance tools.

 

Ø Maintenance tools carried into the facility by maintenance personnel are inspected for improper

 

or unauthorized modifications.

 

§ If, upon inspection of the maintenance tools, Pomona College determines that the tools have

 

been modified in an improper or unauthorized manner or that they contain malicious code,

 

the incident is handled consistent with the Pomona College Incident Response Plan.

 

Ø Pomona College checks media containing diagnostic and test programs for malicious code before

 

the media are used in the Pomona College system.

 

§ If, upon inspection of media containing diagnostic and test program, Pomona College

 

determines that the media contain malicious code, the incident is handled consistent with the

 

Pomona College Incident Response Plan.

 

v Pomona College:

 

Ø Establishes a process for maintenance personnel authorization and maintains a list of authorized

 

maintenance organizations and personnel

 

Ø Ensures that non-escorted personnel performing maintenance on the Pomona College system

 

have required access authorizations

 

Ø Designates Pomona College personnel with required access authorizations and technical

 

competence to supervise the maintenance activities of personnel who do not possess the required

 

access authorizations

 

v Normally, Pomona College obtains maintenance support and/or spare parts for critical system

 

components within 24 hours of failure.

 

REMOTE MAINTENANCE

 

v Pomona College:

 

Ø Approves and monitors remote maintenance and diagnostic activities

 

Ø Allows the use of remote maintenance and diagnostic tools only as consistent with Pomona

 

College policy and documented in the security plan for the Pomona College system

 

Ø Employs strong multifactor authenticators in the establishment of remote maintenance and

 

diagnostic sessions

 

§ Where multifactor authentication is not supported, authentication shall require the use of

 

long passwords in excess of 14 characters

 

Ø Maintains records of remote maintenance and diagnostic activities

 

Ø Terminates session and network connections when remote maintenance is completed

 

v Pomona College:

 

Ø Audits remote maintenance and diagnostic sessions

 

Ø Reviews the records of the remote maintenance and diagnostic sessions

 

v Pomona College documents the policies and procedures for the establishment and use of remote

 

maintenance and diagnostic connections in the security plan for the Pomona College system.

its-maintenance-policy