Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Maintenance

From LIMSWiki
Jump to navigationJump to search

Appendix 1.9 Maintenance

MA-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

MA-2 Controlled maintenance

This control recommends the organization apply a "controlled maintenance" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.

Additional resources:

MA-2 (2) Controlled maintenance: Automated maintenance activities

This control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.

Additional resources:

MA-4 Nonlocal maintenance

This control recommends the organization place strong controls on nonlocal maintenance and diagnostics of the system or its components. "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.

Additional resources:

MA-4 (6) Nonlocal maintenance: Cryptographic protection

This control enhancement recommends the system provides appropriate cryptographic mechanisms for ensuring the confidentiality and integrity of nonlocally accessed maintenance and diagnostic data and information.

Additional resources:

MA-5 Maintenance personnel

This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site is asked for.

Additional resources:

MA-6 Timely maintenance

This control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

MA-6 (1) Timely maintenance: Preventive maintenance

This control enhancement recommends the organization take a preventive maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.

Additional resources:

MA-6 (2) Timely maintenance: Predictive maintenance

This control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using "principles of statistical process control to determine at what point in the future maintenance activities will be appropriate," particularly "when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold."

Additional resources: