MA-1: Maintenance – Policy and Procedures
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 07/24/2024
Purpose –
The Tarleton State University (Tarleton) Maintenance Policy and associated controls document the requirements to ensure that appropriate and timely maintenance is conducted to reduce the risks associated with unpatched resources.
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.
Compliance –
System Maintenance controls are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76 and Texas A&M University System Regulation 29.01.03, Information Security.
Implementation –
- The Tarleton CISO, in coordination with information resource owners and custodians, shall develop, document, and disseminate a policy and set of controls that addresses the Maintenance Policy for information resources. These controls and policy should:
- Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- Information resource owners and custodians are responsible for:
- Any procedures to facilitate the implementation of the Maintenance Policy and associated controls in order to ensure that the proper system maintenance is performed on information resources operated for/by Tarleton,
- Any maintenance performed is consistent with all applicable security controls, unless otherwise excepted and approved by the Tarleton CISO, and
- Ensuring that information resources are under manufacturer warranty/support for security patches and timely security patching is performed, such as:
- Security patches provided by the vendor should be installed within the next maintenance window or 30 days of release, whichever is lesser.
- The CISO, or their designee, shall review and update the Maintenance Policy and associated controls as necessary.
Note: Where applicable under Control CM-3, Configuration Change Control, change control procedures will be followed and security patches will be systematically tested, validated, and documented before implementation, as applicable.