Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.9 Maintenance"

From LIMSWiki
Jump to navigationJump to search
(Created as needed.)
 
(Updated for 2023.)
 
Line 1: Line 1:
===Appendix 1.9  Maintenance===
===Appendix 1.9  Maintenance===
====MA-1 System maintenance policy and procedures====
====MA-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 50
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 50
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]


====MA-2 Controlled maintenance====
====MA-2 Controlled maintenance====
Line 20: Line 20:
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.7, 10.10, and 10.15]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.7, 10.10, and 10.15]


====MA-4 Non-local maintenance====
====MA-4 Nonlocal maintenance====
This control recommends the organization place strong controls on non-local maintenance and diagnostics of the system or its components. "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.
This control recommends the organization place strong controls on nonlocal maintenance and diagnostics of the system or its components. "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.15],  [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.25], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.15],  [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.25], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
====MA-4 (6) Nonlocal maintenance: Cryptographic protection====
This control enhancement recommends the system provides appropriate cryptographic mechanisms for ensuring the confidentiality and integrity of nonlocally accessed maintenance and diagnostic data and information.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.1]


====MA-5 Maintenance personnel====
====MA-5 Maintenance personnel====
This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site.
This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site is asked for.


'''Additional resources''':
'''Additional resources''':
Line 40: Line 46:
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====MA-6 (1) Timely maintenance: Preventative maintenance====
====MA-6 (1) Timely maintenance: Preventive maintenance====
This control enhancement recommends the organization take a preventative maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.
This control enhancement recommends the organization take a preventive maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.


'''Additional resources''':
'''Additional resources''':

Latest revision as of 15:56, 21 March 2023

Appendix 1.9 Maintenance

MA-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

MA-2 Controlled maintenance

This control recommends the organization apply a "controlled maintenance" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.

Additional resources:

MA-2 (2) Controlled maintenance: Automated maintenance activities

This control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.

Additional resources:

MA-4 Nonlocal maintenance

This control recommends the organization place strong controls on nonlocal maintenance and diagnostics of the system or its components. "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.

Additional resources:

MA-4 (6) Nonlocal maintenance: Cryptographic protection

This control enhancement recommends the system provides appropriate cryptographic mechanisms for ensuring the confidentiality and integrity of nonlocally accessed maintenance and diagnostic data and information.

Additional resources:

MA-5 Maintenance personnel

This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site is asked for.

Additional resources:

MA-6 Timely maintenance

This control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

MA-6 (1) Timely maintenance: Preventive maintenance

This control enhancement recommends the organization take a preventive maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.

Additional resources:

MA-6 (2) Timely maintenance: Predictive maintenance

This control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using "principles of statistical process control to determine at what point in the future maintenance activities will be appropriate," particularly "when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold."

Additional resources:

Retrieved from "https://www.limswiki.org/index.php?title=Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec/Appendix_1.9_Maintenance&oldid=51654"