Systems Maintenance Policy

Purpose

Information system maintenance is required to ensure that information systems are always operating optimally. Set maintenance processes are required to ensure that maintenance is conducted in the most secure manner possible. Without systems maintenance the potential exists that information systems will be unable to provide appropriate information security. Without maintenance processes the potential exists that the act of performing systems maintenance could, either directly or indirectly, compromise information system security.  This policy addresses the requirement for the information technology (IT) department to protect the college’s technology investments and minimize service interruptions, by performing a variety of network maintenance activities.

Scope

This Systems Maintenance Policy applies to all information systems and information system components of Saint Michael’s College.   Specifically, it includes:

  • Mainframes, servers and other devices that provide centralized computing capabilities.

  • SAN, NAS and other devices that provide centralized storage capabilities.

  • Desktops, laptops and other devices that provide distributed computing capabilities.

  • Routers, switches and other devices that provide network capabilities.

  • Firewalls, IDP sensors and other devices that provide dedicated security capabilities.

  • Internet access, telecommunications services, printing services and email services.

Policy

  • Mikenet will be kept operational on a 7 x 24 basis. When it is necessary to schedule service interruptions to perform system maintenance, such scheduled downtime will only occur after adequate notice is posted on the portal, at least 2 business days in advance.

  • When an emergency situation requires that service be interrupted for any length of time and the nature of the emergency does not allow for the normal downtime scheduling procedure to be followed, adequate notice (email and/or portal notice) will be sent to the affected parties with as much advance warning as possible.

  • Routine preventative and regular maintenance (including repairs) on information systems that has an end user impact shall be scheduled with a minimum 72-hour notification to ensure business units have sufficient notice and that conflicts are avoided.

  • Maintenance shall be performed in accordance with manufacturer/vendor specifications and/or organizational requirements.

  • Only pre-authorized personnel are allowed to perform information system maintenance. If maintenance personnel do not have sufficient facilities or information systems access authorization, they shall be accompanied at all times by personnel that do.

  • Remote maintenance must be authorized by IT prior to service. Occasional audits will be performed upon completion in order to verify compliance.  Remote maintenance must make use of appropriate risk mitigation techniques including, but not limited to, encrypted communications and strong authentication.

  • Electronic copies of all Change Control Forms will be stored on the IT network share and organized by fiscal year.  These records will be kept for 3 years.

Procedures and Forms

  1. Change Control Form

Standards and Guidelines

  1. COBIT 5 Management Practices, BAI03.10, Maintain solutions.

  2. COBIT 5 Management Practices, DSS05.01, Protect against malware.

Enforcement

Violation of any of the constraints of this policy or procedures will be considered a security breach and may be subject to discipline as outlined in the employee and student handbooks, or a termination of the contract in the case of contractors or consultants.  Additionally, individuals may be subject to loss of Saint Michael’s College information resource access privileges, may be subject to legal action, and may also be held financially liable.

Controls

  • Change Control Form

  • IT Communication Plan

Metrics

Number of business disruptions due to IT service incidents.

COBIT Standards

  1. COBIT 5 Management Practices, BAI03.10, Maintain solutions.

  2. COBIT 5 Management Practices, DSS05.01, Protect against malware.

References

  1. COBIT 5: Enabling Processes, ©2012 ISACA

Print Article

Details

Article ID: 56644
Created
Wed 6/27/18 1:52 PM
Modified
Mon 3/16/20 1:43 PM