UMGC Policy X-1.15 UMGC Policy on Maintenance of Information Systems and Technology Resources

Purpose

The purpose of this Policy is to establish Information Security standards for the Maintenance processes relevant to UMGC Information Technology Resources.

Scope and Applicability

This Policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this Policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Policy Statements

Information System Stewards or designee should ensure that security controls are in place to protect the routine maintenance activities that enable the University Information Systems to function correctly.

1. Maintenance must be performed on University Information Systems. In general, system maintenance requirements tend to support the security objective of availability and typically directed at five specific areas of the information technology infrastructure: servers, desktops, backups, network, and security. This maintenance should include:
   1. Corrective maintenance (e.g., repairing problems with the technology),
   2. Preventative maintenance (e.g., updates to prevent potential problems),
   3. Adaptive maintenance (e.g., changes to the operative environment), and
   4. Perfective maintenance (e.g., improve operations).
2. Controls must be provided on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. These controls include:
   1. Protection of the tools performing maintenance. These tools should remain secure, so they do not introduce software viruses or other bugs into University Information Technology Resources.
   2. Protection of maintenance processes so they are not used to harm University Information Technology Resources.
   3. Supervision of any employee or contractor responsible for maintenance activities to ensure that they don't behave in a malicious manner.
3. Multifactor Authentication (MFA) must be used whenever possible and reasonable to do so to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
4. Maintenance activities of personnel without required access authorization must be supervised.
5. Equipment removed for off-site maintenance must be sanitized of any Controlled Unclassified Information (CUI).
6. Media containing diagnostic and test programs must be checked for malicious code before the media are used in organizational systems.

Exceptions

Exceptions to this Policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. Most recent versions:
   1. USM IT Security Standards
   2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
   3. Cybersecurity Maturity Model Certification (CMMC)

1. UMGC Policy X-1.02 Data Classification  
2. UMGC Policy X-1.04 Information Security  
3. UMGC Policy X-1.08 IT Resources Configuration Management
4. UMGC Policy X-1.10 Identity and Access Management
5. UMGC Policy X-1.14 Media Protection
6. UMGC Policy X-1.22 System and Information Integrity 
7. UMGC Policy X-1.24 IT Asset Management