Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Only pre-approved maintenance tools may be used in the maintenance <strong>of</strong> information<br />
systems. The use <strong>of</strong> maintenance tools shall be actively monitored.<br />
A maintenance log shall be maintained for all information system maintenance. This<br />
log shall include:<br />
• The date and time <strong>of</strong> the maintenance<br />
• The name and organization <strong>of</strong> the person performing the maintenance<br />
• The name <strong>of</strong> the escort if the person performing maintenance is not a State<br />
employee<br />
• Description <strong>of</strong> the maintenance performed<br />
• List <strong>of</strong> the information system components or component elements<br />
removed/replaced<br />
Remote maintenance must be authorized, actively monitored and audited upon<br />
completion. The requirement for remote maintenance for an information system must<br />
be made available upon system acquisition and risk mitigation techniques included in<br />
the security plan. Risk mitigation techniques shall include encrypted communications,<br />
strong authentication protocols as well as positive session termination notification.<br />
Ongoing support capabilities for core components <strong>of</strong> critical information systems are<br />
required. Demonstrably sufficient internal capabilities shall count as support, however<br />
sufficiency includes both experience and volume <strong>of</strong> staff. Where demonstrably<br />
sufficient internal capabilities do not exist, support contracts are mandatory and must<br />
be factored into the purchase price <strong>of</strong> information system components. Further,<br />
critical hardware must be configured for fault tolerance.<br />
This restriction will only apply to core components <strong>of</strong> information systems<br />
implemented after the publishing <strong>of</strong> this policy. Core components <strong>of</strong> information<br />
systems deployed prior to the release <strong>of</strong> this document are considered exempt from<br />
this requirement.<br />
23