support@essaywritingexpert.org
| Policy: | Maintenance |
| Policy Owner: | CIO |
| Change Management | |
| Original Implementation Date: | 8/30/2017 |
| Effective Date: | 8/30/2017 |
| Revision Date: | |
| Approved By: | |
| Crosswalk | |
| NIST Cyber Security Framework (CSF) | PR.MA |
| NIST SP 800-53Security Controls | MA-2, MA-3, MA-4, MA-5, MA-6 |
| NIST SP 800-171Protecting Controlled UnclassifiedInformation | 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6 |
| Center for Internet Security Critical Security Control | 5, 8, 11, 12 |
| Payment Card Industry DataSecurity Standard (PCI DSS) v3.2 | – |
| Procedure Mapping |
PURPOSE
To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.
POLICY
Pomona College performs maintenance on the Pomona College system, system components and any assets providing security functionality to the system and its components. Proper maintenance is essential to the performance and availability of the Pomona College system.
ASSET MAINTENANCE
v Pomona College:
Ø Schedules, performs, documents, and reviews records of maintenance and repairs on the Pomona
College system’s components in accordance with manufacturer or vendor specifications and/or
organizational requirements
Ø Approves and monitors all maintenance activities, whether performed on site or remotely and
whether the equipment is serviced on site or removed to another location
Ø Requires that the Security Official, or designee, explicitly approve the removal of the system or
system components from Pomona College facilities for off-site maintenance or repairs
Ø Checks all potentially impacted security controls to verify that the controls are still functioning
properly following maintenance or repair actions
Ø Includes the following in Pomona College maintenance records:
§ Date and time of maintenance
§ Name of individuals or groups performing the maintenance
§ Name of escort, if necessary
§ A description of the maintenance performed
§ System components/equipment removed or replaced
• Including the identification number, if applicable
v Pomona College approves, controls, and monitors system maintenance tools.
Ø Maintenance tools carried into the facility by maintenance personnel are inspected for improper
or unauthorized modifications.
§ If, upon inspection of the maintenance tools, Pomona College determines that the tools have
been modified in an improper or unauthorized manner or that they contain malicious code,
the incident is handled consistent with the Pomona College Incident Response Plan.
Ø Pomona College checks media containing diagnostic and test programs for malicious code before
the media are used in the Pomona College system.
§ If, upon inspection of media containing diagnostic and test program, Pomona College
determines that the media contain malicious code, the incident is handled consistent with the
Pomona College Incident Response Plan.
v Pomona College:
Ø Establishes a process for maintenance personnel authorization and maintains a list of authorized
maintenance organizations and personnel
Ø Ensures that non-escorted personnel performing maintenance on the Pomona College system
have required access authorizations
Ø Designates Pomona College personnel with required access authorizations and technical
competence to supervise the maintenance activities of personnel who do not possess the required
access authorizations
v Normally, Pomona College obtains maintenance support and/or spare parts for critical system
components within 24 hours of failure.
REMOTE MAINTENANCE
v Pomona College:
Ø Approves and monitors remote maintenance and diagnostic activities
Ø Allows the use of remote maintenance and diagnostic tools only as consistent with Pomona
College policy and documented in the security plan for the Pomona College system
Ø Employs strong multifactor authenticators in the establishment of remote maintenance and
diagnostic sessions
§ Where multifactor authentication is not supported, authentication shall require the use of
long passwords in excess of 14 characters
Ø Maintains records of remote maintenance and diagnostic activities
Ø Terminates session and network connections when remote maintenance is completed
v Pomona College:
Ø Audits remote maintenance and diagnostic sessions
Ø Reviews the records of the remote maintenance and diagnostic sessions
v Pomona College documents the policies and procedures for the establishment and use of remote
maintenance and diagnostic connections in the security plan for the Pomona College system.