octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

-A +A
Bookmark and Share

System Maintenance Policy


Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021

1. Purpose

To specifies the requirements for the management of the risk that may result from the maintenance of the District of Columbia Government (“District”) information assets.

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.

3. Applicability

This policy applies to all District workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.

4. Policy

Hardware and software maintenance and support arrangements shall be required for all standard and non-standard desktop, servers, network infrastructure equipment, peripherals, and related software. This shall include applications and systems that are subject to their proprietary maintenance and upgrade policies. Service, maintenance, and support shall be properly staffed and managed through a ticket management system and help desk.

The District agencies shall develop respective Security Maintenance procedures in support of this policy based on the requirements defined below:

4.1.  Controlled Maintenance

The District agencies must:

  1. Schedule, performs, documents, and reviews records of maintenance and repairs on information system components per manufacturer or vendor specifications and/or organizational requirements.
  2. Approves and monitor all maintenance activities to include routine scheduled information system security maintenance and repairs, whether the equipment is serviced onsite, remotely, or moved to another location.
  3. Requires Ensure removal of the information system or any of its components from the facility for repair is first approved by an appropriate official.
  4. Sanitizes equipment to remove any restricted or highly restricted information from associated media, following proper procedure, when the information system or any of its components require offsite information system security maintenance or repairs equipment to remove all information from associated media before removal from organizational facilities for off-site maintenance or repairs.
  5. Verify proper functionality of all potentially impacted security controls after information system security maintenance is performed.
  6. Includes the information defined in the procedure in organizational maintenance records.

4.2.  Maintenance Tools

The District agencies must approve, control, and monitor the use of information system security maintenance tools and maintain these tools on an ongoing basis.

4.3.  Maintenance Tools | Inspect Tools

The District agencies must inspect the maintenance tools carried into a facility by personnel for improper or unauthorized modifications.

4.4.  Maintenance Tools | Inspect Media

The District agencies must scan media containing diagnostic and test programs to verify that they are free from malicious code, viruses, and malware before the media are used in the information system.

4.5.  Non-Local Maintenance

The District agencies must:

  1. Authorize, monitor, and control non-local maintenance and diagnostic activities.
  2. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.
  3. Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
  4. Maintain records for nonlocal maintenance and diagnostic activities.
  5. Terminate session and network connections when nonlocal maintenance is completed.

4.6.  Non-Local Maintenance | Document Non-local Maintenance

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with the agency’s policy and documented in the security plan for the information system.

4.7.  Maintenance Personnel

The District agencies must:

  1. Establish a process for maintenance personnel authorization and maintain a current list of authorized maintenance organizations or personnel.
  2. Ensure that non-escorted personnel performing maintenance on the information system have required access authorizations.
  3. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

4.8.  Timely Maintenance

The District agencies must obtain maintenance support and/or spare parts for information systems/assets within defined service level agreements.

5. Exemption

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.