The chief information security officer shall screen and authorize all maintenance personnel that will be provided non-escorted access to sensitive areas, provide the maintenance personnel with an identification badge indicating their affiliation status, and post a list of authorized maintenance personnel inside the sensitive area.
Full-time Network & Information Systems operations and management staff may escort maintenance personnel without additional screening.
Unauthorized visitors gain physical access to facilities due to insufficient physical entry controls.
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
The organization escorts visitors through sensitive physical security areas.
The state organization allows only authorized personnel to perform maintenance on the information system.
Obtain Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts and/or service level agreements; list of authorized personnel; maintenance records; other relevant documents or records and ascertain if :
(I)the organization allows only authorized personnel to perform maintenance on the information system.
(ii)the organization supervises authorized maintenance personnel who do not have needed access authorizations to the information system during the performance of maintenance activities on the system using organizational personnel with appropriate access authorizations.
