Maintenance

00:00

Welcome to less than 6.4 protect maintenance.

00:05

So in this video will cover protect function category # four maintenance as well as maintenance controls.

00:13

So in this particular category of the protect function, we're looking at um system maintenance and repairs are performed consistent with policies, processes and procedures. So at this point you have all your policies and processes in place regarding your data processing management, as well as the transparency to um individuals whose data you collect as well as other organizations and your data processing ecosystem.

00:36

And now you're really in between the last category. In this one, you're really now in the category of monitoring um and continuing to evolve uh your protection strategies and ensuring that your controls are working um as you're expecting them to work and that's where the maintenance comes in here. You want to ensure that maintenance and repair of your organizational assets performed log

00:59

um with approved and controlled tools and that it's really done on a consistent basis as well as a remote maintenance of organizational assets is approved lock and performed in a manner that prevents unauthorized access. And sometimes this may be your company doing um the remote maintenance, but it could also be a third party, especially if an application or system. Um it doesn't sit on prim

01:22

um that may be handled by a third party, but you still want to make sure um that you are logging um and approving that maintenance and that is being performed on a consistent basis and in a manner that does prevent unauthorized access.

01:38

So in the next uh slide we're really going to get into uh this is a sample from Nist 853 that shows um for those that may not be familiar, how do you put together sort of like a maintenance process or just policies and procedures on how to handle maintenance for your organizational assets?

01:57

So I wanted to pull at this table from that document to give you a sense of of what you should be looking at and what you should put in place. So of course you should have system maintenance policies and procedures um and really making sure you're controlling that maintenance. But then you get into maintenance tools so you're inspect tools, inspect media, ensure that you're preventing unauthorized removal

02:20

and having restricted tool use.

02:23

Um And another heading that you get into is non local maintenance. So you're auditing and review for maintenance that may not be being performed on site or by your staff um That you're looking at a security and sanitization

02:38

and that you're actually authenticating and separation of of the maintenance session as well as cryptographic protection um and remote disconnect verification. So these are just some of the things that you should be taking into account as maintenance controls um As well as getting into maintenance personnel,

02:55

making sure especially if you have

03:00

um maintenance that comes on site. Maybe it's not done by your personnel but you have a third party company. Um making sure that they have the appropriate access when they're on site. Or that there with a staff member who has access to, let's say the server room, even if you work in a facility where security clearances are required, making sure that security clearances are

03:23

have been obtained for classified systems um And then something else that may even need to be taken to account is citizenship requirements for classified systems. Especially if you work in an industry where um international traffic in arms regulations may be an issue. Maybe you manufacturer certain military um uh

03:44

applications or even um uh products. And so there are certain individuals from certain embargoed countries that may not be able to have access to that, so making sure that you're aware of that or even just other foreign nationals.

04:00

Um When you get into whether you're manufacturing just standard commercial um products or are they military in nature and then you have to be concerned with who's accessing them. And then finally just making sure that you're doing timely maintenance um that includes preventive and predictive maintenance. Um And then like just making sure that maintenance is done on a consistent basis.

04:25

So wanted to pull this just to kind of show you um and this sp 853 does kind of break down their controls this way. Um and this could be helpful to look at, especially for the protect function. Um that does correlate pretty well with the security framework.