MA.L2-3.7.2—System Maintenance Control
Level 2
800-171: 3.7.2
>Control Description
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for controlling maintenance tools and personnel?
- •How do you approve maintenance tools before they can be used on systems?
- •What is your process for vetting maintenance personnel?
- •How do you govern the use of vendor or third-party maintenance personnel?
- •What procedures ensure maintenance activities don't introduce security risks?
Technical Implementation:
- •What tools are approved for system maintenance?
- •How do you technically control which tools can be used?
- •What application control restricts maintenance tools?
- •What logging captures maintenance tool usage?
- •How do you verify maintenance tools are free from malware?
Evidence & Documentation:
- •What maintenance procedures and schedules can you provide?
- •What maintenance records and work orders demonstrate maintenance activities?
- •What sanitization certificates show equipment was sanitized before off-site maintenance?
- •What remote maintenance session logs can you show?
- •What tool inventory lists approved maintenance tools?
- •What evidence shows maintenance personnel are properly supervised or vetted?
Ask AI
Configure your API key to use AI features.