Purpose
Information system maintenance is required to ensure that information systems are always operating optimally. Set maintenance processes are required to ensure that maintenance is conducted in the most secure manner possible. Without systems maintenance the potential exists that information systems will be unable to provide appropriate information security. Without maintenance processes the potential exists that the act of performing systems maintenance could, either directly or indirectly, compromise information system security. This policy addresses the requirement for the information technology (IT) department to protect the college’s technology investments and minimize service interruptions, by performing a variety of network maintenance activities.
Scope
This Systems Maintenance Policy applies to all information systems and information system components of Saint Michael’s College. Specifically, it includes:
-
Mainframes, servers and other devices that provide centralized computing capabilities.
-
SAN, NAS and other devices that provide centralized storage capabilities.
-
Desktops, laptops and other devices that provide distributed computing capabilities.
-
Routers, switches and other devices that provide network capabilities.
-
Firewalls, IDP sensors and other devices that provide dedicated security capabilities.
-
Internet access, telecommunications services, printing services and email services.
Policy
-
Mikenet will be kept operational on a 7 x 24 basis. When it is necessary to schedule service interruptions to perform system maintenance, such scheduled downtime will only occur after adequate notice is posted on the portal, at least 2 business days in advance.
-
When an emergency situation requires that service be interrupted for any length of time and the nature of the emergency does not allow for the normal downtime scheduling procedure to be followed, adequate notice (email and/or portal notice) will be sent to the affected parties with as much advance warning as possible.
-
Routine preventative and regular maintenance (including repairs) on information systems that has an end user impact shall be scheduled with a minimum 72-hour notification to ensure business units have sufficient notice and that conflicts are avoided.
-
Maintenance shall be performed in accordance with manufacturer/vendor specifications and/or organizational requirements.
-
Only pre-authorized personnel are allowed to perform information system maintenance. If maintenance personnel do not have sufficient facilities or information systems access authorization, they shall be accompanied at all times by personnel that do.
-
Remote maintenance must be authorized by IT prior to service. Occasional audits will be performed upon completion in order to verify compliance. Remote maintenance must make use of appropriate risk mitigation techniques including, but not limited to, encrypted communications and strong authentication.
-
Electronic copies of all Change Control Forms will be stored on the IT network share and organized by fiscal year. These records will be kept for 3 years.
Procedures and Forms
-
Change Control Form
Standards and Guidelines
-
COBIT 5 Management Practices, BAI03.10, Maintain solutions.
-
COBIT 5 Management Practices, DSS05.01, Protect against malware.
Enforcement
Violation of any of the constraints of this policy or procedures will be considered a security breach and may be subject to discipline as outlined in the employee and student handbooks, or a termination of the contract in the case of contractors or consultants. Additionally, individuals may be subject to loss of Saint Michael’s College information resource access privileges, may be subject to legal action, and may also be held financially liable.
Controls
-
Change Control Form
-
IT Communication Plan
Metrics
Number of business disruptions due to IT service incidents.
COBIT Standards
-
COBIT 5 Management Practices, BAI03.10, Maintain solutions.
-
COBIT 5 Management Practices, DSS05.01, Protect against malware.
References
-
COBIT 5: Enabling Processes, ©2012 ISACA