56.50 - Maintenance (MA)

Return to policies website

Policy Statement
TTUHSC El Paso shall implement mechanisms are employed to properly identify system users, processes acting on behalf of users, or devices, and authenticate the identities of those users, processes, or devices.

Reason for Policy
The purpose of the Maintenance (MA) policy is to ensure that due diligence is performed by properly maintaining TTUHSC El Paso systems.

Entities Affected by this Policy are any and all users of Information Resources at TTUHSC El Paso.

What is covered in this Policy?

The overall policy addresses the Institutional stance as it applies to TTUHSC El Paso in the areas of: maintenance, controlled maintenance, tools, non-local maintenance, maintenance personnel, and timely maintenance.

It is the stance of TTUHSC El Paso to ensure that there are safeguards in place aligned with NIST 800-53 and TAC 202 to ensure the protection, integrity, and confidentiality of information resources at TTUHSC El Paso.

Who Should Read this Policy?
All individuals accessing, storing, viewing any TTUHSC El Paso information resources.

What happens if I violate this policy?
Any person(s) violating TTUHSC El Paso Information Technology policies are subject to penalty under federal, state, and local legislation. Disciplinary actions are further outlined in HSCEP 56.50 Sanctions Policy.1

 

MA-01: Maintenance Policy & Procedures

TTUHSC El Paso develops, disseminates, reviews & updates:2

  • A formal, documented system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  • Formal, documented procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.

TTUHSC El Paso is required to document organization-wide maintenance controls that, at a minimum, include:

  1. A formal, documented maintenance policy; and
  2. Processes to facilitate the implementation of the maintenance policy, procedures and associated controls.

MA-02: Controlled Maintenance

TTUHSC El Paso:3

  • Schedules, performs, documents, and reviews records of maintenance and repairs on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
  • Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  • Requires explicit management approval for the removal of the system or system components from organizational facilities for off-site maintenance or repairs;
  • Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

Asset custodians and data/process owners are required to:

  1. Schedule, perform, document, and review records of maintenance and repairs on systems in accordance with manufacturer or vendor specifications and company requirements;
  2. Control all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  3. Require explicit management approval for the removal of the systems or system components from company facilities for off-site maintenance or repairs;
  4. Sanitize equipment to remove all information from associated media prior to removal from company facilities for off-site maintenance or repairs; and
  5. Check all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

Controlled Maintenance includes:

Maintenance Activities
For critical systems, asset custodians are required to keep maintenance records for systems that include:

  • Date and time of maintenance;
  • Name of the individual performing the maintenance;
  • Name of escort, if necessary;
  • A description of the maintenance performed; and
  • A list of equipment removed or replaced (including identification numbers, if applicable).

MA-03: Maintenance Tools

TTUHSC El Paso approves controls, monitors the use of, and maintains on an ongoing basis, system maintenance tools.4

Asset custodians are required to inspect all maintenance tools carried into TTUHSC El Paso facilities by maintenance personnel for obvious improper modifications or indications that proper maintenance is not being performed.

Maintenance Tools include:

Tool inspection
Where technically feasible, asset custodians must inspect the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

Media inspection
Where technically feasible, asset custodians must check media containing diagnostic and test programs for malicious code before the media are used in an information system.

Preventing unauthorized removal
Asset custodians and data/process owners are required to:

  1. Verify that there is no TTUHSC El Paso information contained in the equipment;
  2. Sanitize or destroy the equipment; or
  3. Retain the equipment within the facility

MA-04: Non-Local Maintenance

TTUHSC El Paso:5

  • Authorizes, monitors, and controls non-local maintenance and diagnostic activities;
  • Allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
  • Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions;
  • Maintains records of non-local maintenance and diagnostic activities; and
  • Terminates all sessions and network connections when non-local maintenance is completed.

Asset custodians and data/process owners are required to:

  1. Authorize, monitor, and control non-local maintenance and diagnostic activities;
  2. Allow the use of non-local maintenance and diagnostic tools only in accordance with policy and standards;
  3. Employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions;
  4. Maintain records of non-local maintenance and diagnostic activities; and
  5. Terminate all sessions and network connections when non-local maintenance is completed.

Non-Local Maintenance includes:

Auditing
Asset custodians and data/process owners are required to routinely perform audits of non-local maintenance and diagnostic sessions to observe for indications of unauthorized activity.1

Documenting non-local maintenance
TTUHSC El Paso requires:

  1. Maintenance personnel to provide prior notification when non-local maintenance is planned (e.g., date & time); and
  2. A designated employee with specific system knowledge to approve the non-local maintenance.

Cryptographic protection6
Asset custodians are required to use technologies that incorporate strong encryption for non-console administrative access.

Remote Disconnect Verification
Asset custodians and data/process owners are responsible for determining a method to verify remote disconnect upon termination of non-local maintenance.

MA-05: Maintenance Personnel

TTUHSC El Paso:7

  • Establishes a process for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel; and
  • Ensures that personnel performing maintenance on the system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise system maintenance when maintenance personnel do not possess the required access authorizations.

Asset custodians and data/process owners are required to:

  1. Establish a process for maintenance personnel authorization and maintain a current list of authorized maintenance organizations or personnel; and
  2. Ensure that personnel performing maintenance have required access authorizations or designate specific personnel with required access authorizations and technical competence necessary to supervise the maintenance when maintenance personnel do not possess the required access authorizations.

Maintenance Personnel includes:

Individuals Without Appropriate Access
Where technically feasible and justified by a valid business case, TTUHSC El Paso shall implement procedures to manage maintenance personnel that lack appropriate security clearances or are not U.S. citizens.

MA-06: Timely Maintenance

TTUHSC El Paso obtains maintenance support and/or spare parts for systems and/or key information technology components within an organization-defined time period.

Asset custodians and data/process owners are required to obtain maintenance support and spare parts for critical systems and key information technology components within defined Service Level Agreements (SLAs).

 

All other IT Policies can be found at https://ttuhscep.edu/it/policies/

 

  1. 56.50 Sanctions Policy
  2. HIPAA 164.310(a)(b)(iv)
  3. NIST CSF PR.MA-1
  4. NIST CSF PR.MA-1
  5. NIST CSF PR.MA-2
  6. PCI DSS 2.3
  7. NIST CSF PR.MA-1
  8. TAC §202.72, §202.74, §202.75

 

Revised May 2018