Maintenance

Table of Contents

On this page

 

The controls and activities in the Maintenance (MA) family support periodic and timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance to ensure its ongoing availability.

MA-01 Maintenance policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] maintenance policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
    2. procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures
  3. Review and update the current maintenance
    1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures.

In general, security and privacy program policies and procedures at the organization level are preferable and may remove the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to maintenance policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

PM-09, PS-08, SI-02, SI-12.

Enhancements

None.

References

Top of page 
 

MA-02 Controlled maintenance

Control

  1. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements
  2. Approve and monitor all maintenance activities, whether performed onsite or remotely and whether the system or system components are serviced onsite or removed to another location
  3. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for offsite maintenance, repair, or replacement
  4. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for offsite maintenance, repair, or replacement: [Assignment: organization-defined information]
  5. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions
  6. Include the following information in organizational maintenance records: [Assignment: organization-defined information]

Discussion

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or non-local entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations should consider the supply chain-related risks associated with replacement components for systems.

Related controls and activities

CM-02, CM-03, CM-04, CM-05, CM-08, MA-04, MP-06, PE-16, SI-02, SR-03, SR-04, SR-11.

Enhancements

  • (01) Controlled maintenance: Record content
    • Withdrawn: Incorporated into MA-02.
  • (02) Controlled maintenance: Automated maintenance activities
      1. Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]
      2. Produce up-to-date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed
    • Discussion: The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records.
    • Related controls and activities: MA-03.

References

TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control

Top of page 
 

MA-03 Maintenance tools

Control

  1. Approve, control, and monitor the use of system maintenance tools
  2. Review previously approved system maintenance tools [Assignment: organization-defined frequency]

Discussion

Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and that are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented.

A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers.

The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, ls, ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

Related controls and activities

MA-02, PE-16, SA-400.

Enhancements

  • (01) Maintenance tools: Inspect tools
    • Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
    • Discussion: Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.
    • Related controls and activities: SI-07.
  • (02) Maintenance tools: Inspect media
    • Check media containing diagnostic and test programs for malicious code before the media is used in the system.
    • Discussion: If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.
    • Related controls and activities: SI-03.
  • (03) Maintenance tools: Prevent unauthorized removal
    • Prevent the unauthorized removal of maintenance equipment containing organizational or personal information by:
      1. verifying that no organizational or personal information is contained on the equipment
      2. sanitizing or destroying the equipment
      3. retaining the equipment within the facility
      4. obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility
    • Discussion: Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.
    • Related controls and activities: MP-06.
  • (04) Maintenance tools: Restricted tool use
    • Restrict the use of maintenance tools to authorized personnel only.
    • Discussion: Restricting the use of maintenance tools to only authorized personnel applies to systems that are used to carry out maintenance functions.
    • Related controls and activities: AC-03, AC-05, AC-06.
  • (05) Maintenance tools: Execution with privilege
    • Monitor the use of maintenance tools that execute with increased privilege.
    • Discussion: Maintenance tools that execute with increased system privilege can result in unauthorized access to organizational information and assets that would otherwise be inaccessible.
    • Related controls and activities: AC-03, AC-06.
  • (06) Maintenance tools: Software updates and patches
    • Inspect maintenance tools to ensure the latest software updates and patches are installed.
    • Discussion: Maintenance tools using outdated and/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations.
    • Related controls and activities: AC-03, AC-06.

References

TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control

Top of page 
 

MA-04 Non-local maintenance

Control

  1. Approve and monitor non-local maintenance and diagnostic activities
  2. Allow the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system
  3. Employ strong authentication in the establishment of non-local maintenance and diagnostic sessions
  4. Maintain records for non-local maintenance and diagnostic activities
  5. Terminate session and network connections when non-local maintenance is completed

Discussion

Non-local maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection.

Authentication techniques used to establish non-local maintenance and diagnostic sessions reflect the network access requirements in IA-02. Strong authentication requires authenticators that are resistant to replay attacks and employ MFA. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-04 is accomplished, in part, by other controls. The Cyber Centre publication User authentication guidance for information technology systems (ITSP.30.03) provides additional guidance on strong authentication and authenticators.

Related controls and activities

AC-02, AC-03, AC-06, AC-17, AC-17(400), AU-02, AU-03, IA-02, IA-04, IA-05, IA-08, MA-02, MA-05, PL-02, SA-400, SC-07, SC-10, SI-400.

Enhancements

  • (01) Non-local maintenance: Logging and review
      1. Log [Assignment: organization-defined audit events] for non-local maintenance and diagnostic sessions
      2. Review the audit records of the maintenance and diagnostic sessions to detect anomalous behaviour
    • Discussion: Audit logging for non-local maintenance is enforced by AU-02. Audit events are defined in AU-02A.
    • Related controls and activities: AU-02, AU-06, AU-12.
  • (02) Non-local maintenance: Document non-local maintenance
    • Withdrawn: Incorporated into MA-01 and MA-04.
  • (03) Non-local maintenance: Comparable security and sanitization
      1. Require that non-local maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced
      2. Remove the component to be serviced from the system prior to non-local maintenance or diagnostic services; sanitize the component (for organizational information); and, after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system
    • Discussion: Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.
    • Related controls and activities: MP-06, SI-03, SI-07.
  • (04) Non-local maintenance: Authentication and separation of maintenance sessions
    • Protect non-local maintenance sessions by:
      1. employing [Assignment: organization-defined authenticators that are replay resistant]
      2. separating the maintenance sessions from other network sessions with the system by either
        1. physically separated communications paths
        2. logically separated communications paths
    • Discussion: Communications paths can be logically separated using encryption.
    • Related controls and activities: None.
  • (05) Non-local maintenance: Approvals and notifications
      1. Require the approval of each non-local maintenance session by [Assignment: organization-defined personnel or roles
      2. Notify the following personnel or roles of the date and time of planned non-local maintenance: [Assignment: organization-defined personnel or roles].
    • Discussion: Notification may be performed by maintenance personnel. Approval of non-local maintenance is accomplished by personnel with sufficient information security and system knowledge to determine the appropriateness of the proposed maintenance.
    • Related controls and activities: None.
  • (06) Non-local maintenance: Cryptographic protection
    • Implement the following cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms].
    • Discussion: Failure to protect non-local maintenance and diagnostic communications can result in unauthorized individuals gaining access to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission or business capabilities.
    • Related controls and activities: SC-08, SC-12, SC-13.
  • (07) Non-local maintenance: Disconnect verification
    • Verify session and network connection termination after the completion of non-local maintenance and diagnostic sessions.
    • Discussion: Verifying the termination of a connection once maintenance is completed ensures that connections established during non-local maintenance and diagnostic sessions have been terminated and are no longer available for use.
    • Related controls and activities: AC-12.

References

Top of page 
 

MA-05 Maintenance personnel

Control

  1. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel
  2. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations
  3. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations

Discussion

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-02 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems.

Individuals not previously identified as authorized maintenance personnel — such as information technology manufacturers, vendors, systems integrators, and consultants — may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

Information about maintenance personnel may be personal information and should be protected accordingly.

Related controls and activities

AC-02, AC-03, AC-05, AC-06, IA-02, IA-08, MA-04, MP-02, PE-02, PE-03, PS-07, RA-03, SA-400.

Enhancements

  • (01) Maintenance personnel: Individuals without appropriate access
      1. Implement procedures for the use of maintenance personnel that lack appropriate security clearances, that include the following requirements
        1. maintenance personnel who do not have the needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified
        2. prior to initiating maintenance or diagnostic activities by personnel who do not have the needed access authorizations, clearances, or formal access approvals, all volatile information storage components within the system are sanitized and all non-volatile storage media are removed or physically disconnected from the system and secured
      2. Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system
    • Discussion: Procedures for individuals who lack appropriate security clearances are intended to deny visual and electronic access to classified or protected information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.
    • Related controls and activities: MP-06, PL-02.
  • (02) Maintenance personnel: Security clearances for classified systems
    • Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system.
    • Discussion: Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. To mitigate the inherent risk of such exposure, organizations use maintenance personnel that are cleared (i.e., possess security clearances) to the classification level of the information stored on the system.
    • Related controls and activities: PS-03.
  • (03) Maintenance personnel: Citizenship requirements for classified systems
    • Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are Canadian citizens.
    • Discussion: Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. If access to classified information on organizational systems is restricted to Canadian citizens, the same restriction is applied to personnel performing maintenance on those systems.
    • Related controls and activities: PS-03.
  • (04) Maintenance personnel: Foreign nationals
    • Ensure that:
      1. foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by Canadian and foreign allied governments, or owned and operated solely by foreign allied governments
      2. approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within memoranda of agreement
    • Discussion: Personnel who conduct maintenance and diagnostic activities on organizational systems may be exposed to classified information. If non-Canadian citizens are permitted to perform maintenance and diagnostic activities on classified systems, then additional vetting is required to ensure agreements and restrictions are not being violated.
    • Related controls and activities: PS-03.
  • (05) Maintenance personnel: Non-system maintenance
    • Ensure that non-escorted personnel performing maintenance activities not directly associated with the system, but in the physical proximity of the system, have required access authorizations.
    • Discussion: Personnel who perform maintenance activities in other capacities not directly related to the system include physical plant personnel and custodial personnel.
    • Related controls and activities: None.

References

PSPC Contract Security Manual, Chapter 6: Handling and safeguarding information and assets

Top of page 
 

MA-06 Timely maintenance

Control

Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure.

Discussion

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or Canada when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

Related controls and activities

CM-08, CP-02, CP-07, RA-07, SA-15, SI-13, SR-02, SR-03, SR-04.

Enhancements

  • (01) Timely maintenance: Preventive maintenance
    • Perform preventive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].
    • Discussion: Preventive maintenance includes proactive care and the servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects.
      The primary goal of preventive maintenance is to avoid or mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they fail.
      Methods of determining what preventive (or other) failure management policies to apply include: original equipment manufacturer recommendations; statistical failure records; expert opinion; maintenance that has already been conducted on similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or measured values and performance indications.
    • Related controls and activities: None.
  • (02) Timely maintenance: Predictive maintenance
    • Perform predictive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].
    • Discussion: Predictive maintenance evaluates the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold.
      The predictive component of predictive maintenance stems from the objective of predicting the future trend of the equipment's condition. The predictive maintenance approach employs principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thus minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability.
    • Related controls and activities: None.
  • (03) Timely maintenance: Automated support for predictive maintenance
    • Transfer predictive maintenance data to a maintenance management system using [Assignment: organization-defined automated mechanisms].
    • Discussion: A computerized maintenance management system maintains a database of information about the maintenance operations of organizations and automates the processing of equipment condition data to trigger maintenance planning, execution, and reporting.
    • Related controls and activities: None.

References

None.

Top of page 
 

MA-07 Field maintenance

Control

Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities].

Discussion

Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., an operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigour or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls.

Related controls and activities

MA-02, MA-04, MA-05.

Enhancements

None.

References

None.

 
Table of Contents
Date modified: