S 2.4 Maintenance/repair regulations

Initiation responsibility: Head of IT section

Implementation responsibility: Head of IT Section, Administrator, IT users

As a precautionary measure to safeguard IT systems against failure, proper performance of maintenance work is of particular importance. Timely initiation and monitoring the execution of maintenance work should be ensured by a central unit (e.g. procurement office). Maintenance work should be carried out by trustworthy persons or companies.

In-house maintenance and repair

Supervisory regulations must be laid down for maintenance and repair work, especially if this is carried out by external staff: A competent person should supervise this work in such a way that he/she can assess whether unauthorised actions occur during such maintenance/repair. In addition, it must be verified whether the required maintenance has actually been carried out.

The following measures before and after maintenance/repair work must be planned:

• The relevant staff members must be informed of the measures.

• Maintenance engineers must, upon request, establish their identity.

• Data access by the maintenance engineer must be avoided to the extent possible. If and where required, data media should be previously removed or deleted (after complete backup), especially when such work is carried out externally. If deletion is not possible (e.g. because of a defect), such work must be monitored also externally or specific contractual arrangements must be made.

• The entry and access permissions granted to maintenance engineers are to be confined to the absolute minimum and must be revoked or cancelled after such work.

• Upon completion of maintenance or repair work, changes to the passwords will be required depending on the "penetration depth" afforded to maintenance staff. With regard to PCs, it might be expedient to make a computer virus check.

• The maintenance work carried out must be documented (scope, results, time, possibly the name of the maintenance engineer).

External maintenance and repairs

If IT systems are sent away for maintenance or repair, all sensitive data on the data-medium must first be physically deleted. If this is not possible due to a defect preventing access to the data medium, the company responsible for the repairs is obliged to comply with the necessary IT-security measures. The contractual regulations should comply with S 3.2 (Commitment of staff members to compliance with relevant laws, regulations and provisions) regarding the secrecy of data. In particular, data stored externally during maintenance must be erased meticulously after work has been completed. The obligations and responsibilities of the external maintenance personnel must also be carefully specified.

The execution of external maintenance work must be logged; which IT systems or components have been sent away for repair, when and to whom, who was responsible, when the repair should be finished and when the machine was brought back. For reference, registration of the IT systems or components is necessary. On the one hand, this makes it clear to which organisation these systems belong, and on the other hand it allows straightforward classification within the organisation.

It must be ensured that damages or theft are prevented during transit of the IT components which are to be repaired. If sensitive data is still to be found on the IT systems, they must be transported with the appropriate protection, e.g. via locked containers or couriers. Moreover, proof of dispatch (accompanying documents, dispatch note) and arrival (confirmation of receipt) must be carried out and logged.

In the case of IT systems protected with passwords and depending on the scope of repair work and type of password security, all or some of the passwords must be made known, or settings must be established such as "REPAIR", so that the maintenance technicians can access the machines.

Once the IT systems or components have been handed back, their completeness must be checked. All passwords must be changed. PC data-media must be checked for computer viruses with an up-to-date anti-virus program. All files contained in the repaired machine must be checked as regards their integrity.

Remote maintenance

Regulations for remote maintenance are contained in S 5.33 Secure remote maintenance via modem.

Additional controls:

• Are the staff encouraged to ensure supervision?

• Are records kept to account for the maintenance work carried out?

• Has a timetable been laid down for maintenance work?