3.7.6 has a weight of -1 points

(Maintenance Family) 6/6

Supervise the maintenance activities of maintenance personnel without required access authorization.

Example of Sysytem Security Plan (SSP):

    Policy Statement:

    1. In our commitment to maintaining the security of our organizational systems, we have established a policy to supervise the maintenance activities of personnel without the required access authorization. This policy ensures that only authorized maintenance personnel are permitted to perform hardware or software maintenance on our systems.
    2. Scope of Requirement:
    3. This policy applies to all individuals involved in hardware or software maintenance on our organizational systems. It specifically addresses those individuals who do not possess the necessary access authorization for performing maintenance tasks.
    4. Distinction from Physical Access:
    5. It is important to note that this requirement is distinct from physical access controls and focuses solely on supervising maintenance personnel who lack the appropriate access privileges for system maintenance.
    6. Privileged Access for Non-Authorized Personnel:
    7. In certain circumstances, individuals not previously identified as authorized maintenance personnel, such as IT manufacturers, vendors, consultants, and systems integrators, may require privileged access to our systems for specific maintenance activities with little or no notice.
    8. Temporary Credentials:
    9. To facilitate maintenance tasks for non-authorized personnel, we may issue temporary credentials based on risk assessments. These temporary credentials may be granted for one-time use or for a very limited time period as necessary.
    10. Supervision and Monitoring:
    11. All maintenance activities conducted by non-authorized personnel are supervised and monitored by authorized personnel or designated individuals with appropriate access authorization. This ensures that only authorized tasks are performed and that access is limited to the scope required for the maintenance activities.
    12. Scope of Privileged Access:
    13. The scope of privileged access granted to non-authorized personnel is strictly limited to the specific maintenance tasks they are required to perform. Access is granted for the shortest duration necessary to complete the tasks.
    14. Periodic Review and Revocation:
    15. To maintain strict control, the use of temporary credentials and privileged access for non-authorized personnel is subject to periodic review. Credentials are promptly revoked after the completion of maintenance activities or upon the expiration of the granted time period.
    16. Incident Reporting and Response:
    17. Any incidents related to the activities of non-authorized personnel are promptly reported and handled in accordance with our organization’s incident response procedures. We prioritize a quick and efficient response to address any potential security concerns.
    18. Awareness and Training:
    19. Personnel responsible for supervising and managing maintenance activities receive training to ensure the proper handling and control of temporary credentials and privileged access. This training emphasizes the importance of adherence to security protocols.
    20. Continuous Improvement:
    21. We are committed to continuously reviewing and enhancing our procedures for granting temporary credentials and privileged access to non-authorized personnel based on risk assessments and lessons learned from incidents. Our goal is to consistently improve our security measures and ensure the ongoing protection of our organizational systems.

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Implementation and Training

    • Implement the policy to supervise maintenance activities of personnel without the required access authorization. [Target Date]

    • Provide training to personnel responsible for supervising and managing maintenance activities on the proper handling and control of temporary credentials and privileged access. [Target Date]

    Milestone 2: Identification and Risk Assessment

    • Identify circumstances where individuals not previously identified as authorized maintenance personnel may require privileged access for specific maintenance activities. [Target Date]

    • Conduct risk assessments to determine the appropriateness of granting temporary credentials and privileged access to non-authorized personnel. [Target Date]

    Milestone 3: Temporary Credentials Issuance

    • Establish a process for issuing temporary credentials based on risk assessments. [Target Date]

    • Ensure that temporary credentials are granted for one-time use or for a limited time period necessary for specific maintenance tasks. [Target Date]

    Milestone 4: Supervision and Monitoring Implementation

    • Implement supervision and monitoring procedures for all maintenance activities conducted by non-authorized personnel. [Target Date]

    • Designate authorized personnel to supervise and monitor the activities of non-authorized personnel during maintenance tasks. [Target Date]

    Milestone 5: Scope of Privileged Access

    • Define and limit the scope of privileged access granted to non-authorized personnel to the specific maintenance tasks required. [Target Date]

    • Ensure that privileged access is granted for the shortest duration necessary to complete the designated maintenance activities. [Target Date]

    Milestone 6: Periodic Review and Revocation

    • Establish a periodic review process for temporary credentials and privileged access granted to non-authorized personnel. [Target Date]

    • Promptly revoke credentials after the completion of maintenance activities or upon the expiration of the granted time period. [Target Date]

    Milestone 7: Incident Reporting and Response Preparedness

    • Review and update incident response procedures to address incidents related to non-authorized personnel activities. [Target Date]

    • Ensure that the incident response team is well-prepared to handle and respond promptly to potential security concerns. [Target Date]

    Milestone 8: Continuous Improvement Evaluation

    • Regularly review and assess the effectiveness of procedures for granting temporary credentials and privileged access. [Target Date]

    • Incorporate lessons learned from incidents to continuously enhance security measures. [Target Date]

    Milestone 9: Compliance Review

    • Conduct a compliance review to verify the proper implementation of the policy and adherence to established procedures. [Target Date]

    • Address any identified gaps or non-compliance issues to ensure strict control over privileged access for non-authorized personnel. [Target Date]

    RELEVANT INFORMATION:

    This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.