System Maintenance Policy and Procedures
Download PDF
Controlled copy — valid on date of download only
Internal Use
System Maintenance Policy and Procedures
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.1 |
| Cadence | Annual |
| Policy Owner | Chief Technology Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-12, DCF-13, DCF-21, DCF-22, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-43, DCF-44, DCF-47, DCF-48, DCF-49, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-96, DCF-99, DCF-100, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy and procedures document is to define how Dispel plans, authorizes, and conducts maintenance on in-scope systems in a way that preserves security, availability, and integrity.
1.2 Scope
This policy applies to:
- All maintenance activities on Dispel-managed production systems and supporting infrastructure.
- Use of maintenance tools, remote maintenance, and maintenance performed by internal staff or external parties.
- All Covered Persons authorized to perform or oversee system maintenance.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC6.1, CC6.2 | Logical and physical access controls related to maintenance activities. |
| 2 | ISO/IEC 27001 | A.8.8, A.8.9 | Management of technical vulnerabilities and configuration related to maintenance. |
| 3 | NIST SP 800-53 | MA-1, MA-2, MA-3, MA-4, MA-5, MA-6 | Maintenance policy and procedures, controlled maintenance, maintenance tools, remote maintenance, maintenance personnel, and timely maintenance. |
| 4 | IEC 62443 | 62443-2-3 | Patch and maintenance management for industrial systems. |
| 5 | HIPAA | 164.308(a)(1) | Risk management for maintenance activities affecting systems with ePHI. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL perform system maintenance in a planned, authorized, and documented manner that minimizes disruption and security risk.
2.3 Secondary Policy Statement
- Maintenance tools and remote maintenance SHALL be controlled and monitored.
- Only authorized and appropriately vetted personnel SHALL perform maintenance on production systems.
3. REQUIREMENTS
3.1 Controlled Maintenance
Objective: Ensure system maintenance is performed under controlled conditions.
Mandatory Activities:
- Maintenance activities SHALL be requested, approved, and documented before execution, except in emergencies.
- Where customers are impacted, maintenance windows SHALL be coordinated and, where feasible, communicated in advance.
- Maintenance activities SHALL be logged, including date, time, personnel, and actions taken.
Required Outputs:
- Maintenance requests and approvals.
- Maintenance activity logs.
Security Controls: NIST SP 800-53 MA-2.
3.2 Maintenance Tools and Remote Maintenance
Objective: Control the use of maintenance tools and remote maintenance access.
Mandatory Activities:
- Maintenance tools (hardware, software, firmware) used on in-scope systems SHALL be authorized and inventoried.
- Tools and associated media SHALL be inspected and sanitized as appropriate before use.
- Remote maintenance activities SHALL:
- Use secure communication channels.
- Be enabled only for the duration necessary.
- Be monitored and logged.
Required Outputs:
- Inventory of authorized maintenance tools.
- Logs of remote maintenance sessions.
Security Controls: NIST SP 800-53 MA-3, MA-4.
3.3 Maintenance Personnel and Timely Maintenance
Objective: Ensure maintenance personnel are authorized and maintenance is timely.
Mandatory Activities:
- Only personnel with appropriate authorization and, where applicable, background checks SHALL perform maintenance on production systems.
- When individuals without appropriate access must perform maintenance, they SHALL be escorted or supervised, and activities SHALL be logged.
- Dispel SHALL ensure that required maintenance (e.g., patching, hardware servicing) is performed in a timely manner based on risk and vendor guidance.
Required Outputs:
- Records of maintenance personnel authorization.
- Schedules and records of maintenance activities.
Security Controls: NIST SP 800-53 MA-5, MA-6.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this System Maintenance Policy and Procedures.
- Ensures alignment with configuration and change management policies.
- Coordinates periodic reviews and updates.
4.2 System Owners
Responsibilities:
- Approve maintenance activities for systems they own.
- Ensure maintenance windows and customer notifications (where applicable) are managed.
- Verify that maintenance outcomes are as expected.
4.3 Maintenance Personnel / Administrators
Responsibilities:
- Perform maintenance in accordance with approved procedures.
- Use authorized tools and channels.
- Record maintenance activities and escalate issues as needed.
5. PROCEDURES
5.1 Maintenance Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Identify maintenance need and define scope and impact. | System Owners, Administrators | As needed |
| 2 | Request and approve maintenance, including scheduling and communication. | System Owners, Policy Owner | Before maintenance window |
| 3 | Perform maintenance using authorized tools and methods; log actions. | Maintenance Personnel / Administrators | During maintenance window |
| 4 | Validate system functionality and security after maintenance. | System Owners, Administrators | Immediately after maintenance |
| 5 | Review maintenance records and update plans as needed. | Policy Owner, System Owners | Periodically |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Reviews of maintenance logs and approvals.
- Audits of remote maintenance controls and tool inventories.
- Incident reviews involving maintenance-related issues.
6.2 Metrics and Reporting
The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:
| Metric | Frequency | Owner |
|---|---|---|
| Percentage of maintenance activities with complete approvals and logs | Annual | Policy Owner |
| Number of maintenance-related incidents or issues | Quarterly | Security Officer |
| Timeliness of critical maintenance (e.g., patching high-risk vulnerabilities) | Quarterly | System Owners |
6.3 Non-Compliance Consequences
Failure to comply with this policy and procedures may result in:
- Increased risk of system failures or security incidents.
- Revocation or restriction of access for Covered Persons who repeatedly fail to follow maintenance procedures.
- Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Identify the specific policy or procedural requirements for which an exception is sought.
- Include justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Senior Management representative |
| Critical | Senior Management representative in consultation with Policy Owner and Security Officer |
8. DEFINITIONS
Maintenance: Any activity intended to preserve or restore the functionality, performance, or security of a system or component.
Maintenance Tools: Hardware, software, or firmware used to perform maintenance on systems.
9. REFERENCES
9.1 Internal References
- Change Management Policy.
- System Configuration Management Policy and Procedures.
- System Planning Policy and Procedures.
9.2 External References
- NIST SP 800-53, MA family.
- ISO/IEC 27001 and related maintenance guidance.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.1 | Predates version control | Ethan Schmertzler | Aligned System Maintenance Policy and Procedures to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial System Maintenance Policy and Procedures. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |
APPENDICES
Appendix A: Supporting Maintenance Procedures
This appendix may include:
- Standard operating procedures for planned and emergency maintenance.
- Checklists for remote maintenance setup and teardown.
Appendix B: Additional Guidance and Examples
This appendix may include:
- Example maintenance scenarios and lessons learned.
- References to industry best practices for system maintenance.