MA-01-727 System Maintenance Policy and Procedures

System Maintenance Policy and Procedures

Control ID

MA-01-727

Control Name

System Maintenance Policy and Procedures

Control Category

Maintenance

Functional Areas

Identify

Sub-Areas

Enterprise Security Policy, Standards and Guidelines

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Information resource custodians are responsible for ensuring system maintenance performed on Agency information resources is consistent with all applicable security controls. Unless otherwise excepted by the chief information officer, all information resources must be under manufacturer warranty to operate in a production environment. Locally-developed products without adequate maintenance support shall be roadmapped for sunset, and the chief information officer shall perform annual governance reviews of the product until adequate support is obtained or the product is removed from production.

Risk Statement

Commercial software is not supported by a vendor and introduces errors into the information system processing environment.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and b. Reviews and updates the current: 1. System maintenance policy [Assignment: organization-defined frequency]; and 2. System maintenance procedures [Assignment: organization-defined frequency].

Control Example

The organization has written, documented system maintenance policies and procedures in place.

State Implementation

The state organization has a policy that addresses system maintenance controls.

Testing Procedures

Obtain information system maintenance policy and procedures; other relevant documents or records and ascertain if : (I)the organization develops and documents information system maintenance policy and procedures. (ii)the organization disseminates information system maintenance policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review information system maintenance policy and procedures. (iv)the organization updates information system maintenance policy and procedures when organizational review indicates updates are required. (v)the information system maintenance policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance (vi)the information system maintenance policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and (vii)the information system maintenance procedures address all areas identified in the system maintenance policy and address achieving policy-compliant implementations of all associated system maintenance controls.