Function: Protect (PR)
Category: Maintenance (MA)
“Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.”
PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools.
Controls should be in place related to the information security aspects of information system maintenance programs. This applies to maintenance to any system component conducted by internal or external resources (e.g. contractor, warranty, in-house). Maintenance records, including date/time of maintenance, a description of maintenance performed, and the component/equipment removed or replaced would be valuable components to a maintenance record.
Auditors may review controlled maintenance processes and procedures. Verification of staff or vendors to make sure they are approved, authorized, and supervised may be asked for.
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
Remote maintenance activities are those conducted by individuals communicating through a network rather than local, physical access to the system. Authentication techniques, strong authentication mechanisms, and logging and monitoring are important components for protecting remote access for maintenance operations.
If maintenance is performed on servers, workstations, or other systems, auditors may request documentation showing who is allowed to connect to these systems, what software or service is used to connect, and if that access is logged and monitored. They may also check if multifactor authentication is required for remote access to sensitive systems.