3.7.1 has a weight of -3 points

System Security Plan (SSP) – Control Identifier: 3.7.1

Control Title: Maintenance of Organizational Systems

Control Description:

This control focuses on ensuring the effective maintenance of organizational systems, including user computers, servers, physical premise security systems, and network components. The organization follows industry best practices to ensure that system maintenance is conducted efficiently and securely. Most maintenance is automated, but manual updates are performed when necessary.

Implementation:

1. Automated Workstation/OS Updates:
   • Our organization automatically performs updates on user computers as they are released by Microsoft. These updates are scheduled to run on a weekly basis through Lansweeper. This automated process ensures that workstations and operating systems are kept up to date with the latest security patches and improvements.
2. SonicWall Updates:
   • SonicWall, a critical component of our network security, is updated through the cloud console. This ensures that our firewall system is continuously updated with the latest threat protections and firmware releases.
3. Manual Switch Updates:
   • Network switches are manually updated as required. Although most maintenance is automated, manual intervention is performed when necessary to ensure the reliability and performance of our network infrastructure.
4. Utilization of Windows Server Update Service (WSUS):
   • For operating system updates, our organization utilizes a Windows Server Update Service (WSUS) server. This server is used to deploy and verify the installation of operating system updates in accordance with Microsoft best practices. This ensures that all servers in our environment are consistently patched and secure.
5. Physical Premise Security Systems:
   • Physical premise security systems, including alarm systems and other security components, are maintained in accordance with best practices and procedures specified by the respective vendors. This includes updating alarm systems as required by the vendor to ensure effective security monitoring.
6. Endpoint Security:
   • All endpoints, including user computers and servers, are equipped with antivirus and other endpoint protection mechanisms. These mechanisms are updated periodically through automatic updates and are verified by IT administrators to ensure their effectiveness in safeguarding our systems.

Plan of Action and Milestones (POA&M) – Control Identifier: 3.7.1

Control Title: Maintenance of Organizational Systems

Control Description:

This control focuses on ensuring the effective maintenance of organizational systems, including user computers, servers, physical premise security systems, and network components. The organization follows industry best practices to ensure that system maintenance is conducted efficiently and securely. Most maintenance is automated, but manual updates are performed when necessary.

POA&M:

1. Review and Update Maintenance Procedures

• Milestone 1: Within 30 days, initiate a review of existing system maintenance procedures to ensure they align with industry best practices.

• Milestone 2: Within 60 days, update maintenance procedures to incorporate best practices and document the revised procedures.

2. Automated Workstation/OS Updates

• Milestone 3: Within 30 days, verify that automated updates for user computers through Lansweeper are functioning correctly.

• Milestone 4: Within 90 days, ensure that all user computers receive automated weekly updates successfully.

3. SonicWall Updates

• Milestone 5: Within 45 days, validate that SonicWall updates through the cloud console are configured and operational.

• Milestone 6: Within 120 days, confirm that SonicWall updates are consistently applied to maintain the latest threat protections and firmware releases.

4. Manual Switch Updates

• Milestone 7: Within 60 days, identify scenarios where manual switch updates are necessary for network infrastructure reliability.

• Milestone 8: Within 150 days, establish a clear process for performing manual switch updates when required, and ensure relevant staff are trained accordingly.

5. Windows Server Update Service (WSUS) Implementation

• Milestone 9: Within 90 days, deploy a Windows Server Update Service (WSUS) server for the management of operating system updates.

• Milestone 10: Within 180 days, verify that WSUS is effectively deploying and verifying the installation of operating system updates for all servers.

6. Physical Premise Security Systems

• Milestone 11: Within 60 days, review vendor-specified best practices and procedures for physical premise security systems, including alarm systems.

• Milestone 12: Within 210 days, ensure that all physical premise security systems are updated according to vendor guidelines and that monitoring capabilities are optimized.

7. Endpoint Security

• Milestone 13: Within 30 days, confirm that antivirus and endpoint protection mechanisms are present on all endpoints.

• Milestone 14: Within 240 days, establish a regular schedule for endpoint security updates and verification by IT administrators.

8. Ongoing Monitoring and Reporting

• Milestone 15: Ongoing, conduct periodic reviews and audits to ensure that all maintenance procedures and practices are consistently followed and effective.

9. Documentation and Reporting

• Milestone 16: Ongoing, maintain detailed records of maintenance activities and security updates for reporting and auditing purposes.

10. Policy Review

• Milestone 17: Within 360 days, review the organization’s System Security Plan (SSP) to ensure it reflects the updated maintenance procedures and practices.