3.7.1 has a weight of -3 points
(Maintenance Family) 1/6
Perform maintenance on organizational systems.
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) – Control Identifier: 3.7.1
Control Title: Maintenance of Organizational Systems
Control Description:
This control focuses on ensuring the effective maintenance of organizational systems, including user computers, servers, physical premise security systems, and network components. The organization follows industry best practices to ensure that system maintenance is conducted efficiently and securely. Most maintenance is automated, but manual updates are performed when necessary.
Implementation:
- Automated Workstation/OS Updates:
- Our organization automatically performs updates on user computers as they are released by Microsoft. These updates are scheduled to run on a weekly basis through Lansweeper. This automated process ensures that workstations and operating systems are kept up to date with the latest security patches and improvements.
- SonicWall Updates:
- SonicWall, a critical component of our network security, is updated through the cloud console. This ensures that our firewall system is continuously updated with the latest threat protections and firmware releases.
- Manual Switch Updates:
- Network switches are manually updated as required. Although most maintenance is automated, manual intervention is performed when necessary to ensure the reliability and performance of our network infrastructure.
- Utilization of Windows Server Update Service (WSUS):
- For operating system updates, our organization utilizes a Windows Server Update Service (WSUS) server. This server is used to deploy and verify the installation of operating system updates in accordance with Microsoft best practices. This ensures that all servers in our environment are consistently patched and secure.
- Physical Premise Security Systems:
- Physical premise security systems, including alarm systems and other security components, are maintained in accordance with best practices and procedures specified by the respective vendors. This includes updating alarm systems as required by the vendor to ensure effective security monitoring.
- Endpoint Security:
- All endpoints, including user computers and servers, are equipped with antivirus and other endpoint protection mechanisms. These mechanisms are updated periodically through automatic updates and are verified by IT administrators to ensure their effectiveness in safeguarding our systems.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) – Control Identifier: 3.7.1
Control Title: Maintenance of Organizational Systems
Control Description:
This control focuses on ensuring the effective maintenance of organizational systems, including user computers, servers, physical premise security systems, and network components. The organization follows industry best practices to ensure that system maintenance is conducted efficiently and securely. Most maintenance is automated, but manual updates are performed when necessary.
POA&M:
1. Review and Update Maintenance Procedures
-
Milestone 1: Within 30 days, initiate a review of existing system maintenance procedures to ensure they align with industry best practices.
-
Milestone 2: Within 60 days, update maintenance procedures to incorporate best practices and document the revised procedures.
2. Automated Workstation/OS Updates
-
Milestone 3: Within 30 days, verify that automated updates for user computers through Lansweeper are functioning correctly.
-
Milestone 4: Within 90 days, ensure that all user computers receive automated weekly updates successfully.
3. SonicWall Updates
-
Milestone 5: Within 45 days, validate that SonicWall updates through the cloud console are configured and operational.
-
Milestone 6: Within 120 days, confirm that SonicWall updates are consistently applied to maintain the latest threat protections and firmware releases.
4. Manual Switch Updates
-
Milestone 7: Within 60 days, identify scenarios where manual switch updates are necessary for network infrastructure reliability.
-
Milestone 8: Within 150 days, establish a clear process for performing manual switch updates when required, and ensure relevant staff are trained accordingly.
5. Windows Server Update Service (WSUS) Implementation
-
Milestone 9: Within 90 days, deploy a Windows Server Update Service (WSUS) server for the management of operating system updates.
-
Milestone 10: Within 180 days, verify that WSUS is effectively deploying and verifying the installation of operating system updates for all servers.
6. Physical Premise Security Systems
-
Milestone 11: Within 60 days, review vendor-specified best practices and procedures for physical premise security systems, including alarm systems.
-
Milestone 12: Within 210 days, ensure that all physical premise security systems are updated according to vendor guidelines and that monitoring capabilities are optimized.
7. Endpoint Security
-
Milestone 13: Within 30 days, confirm that antivirus and endpoint protection mechanisms are present on all endpoints.
-
Milestone 14: Within 240 days, establish a regular schedule for endpoint security updates and verification by IT administrators.
8. Ongoing Monitoring and Reporting
- Milestone 15: Ongoing, conduct periodic reviews and audits to ensure that all maintenance procedures and practices are consistently followed and effective.
9. Documentation and Reporting
- Milestone 16: Ongoing, maintain detailed records of maintenance activities and security updates for reporting and auditing purposes.
10. Policy Review
- Milestone 17: Within 360 days, review the organization’s System Security Plan (SSP) to ensure it reflects the updated maintenance procedures and practices.
RELEVANT INFORMATION:
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.[26] In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.