Back

Establish, implement, and maintain a system preventive maintenance program.


CONTROL ID
00885
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Establish and maintain maintenance reports., CC ID: 11749
  • Establish, implement, and maintain a system maintenance policy., CC ID: 14032
  • Establish, implement, and maintain a technology refresh plan., CC ID: 13061
  • Plan and conduct maintenance so that it does not interfere with scheduled operations., CC ID: 06389
  • Maintain contact with the device manufacturer or component manufacturer for maintenance requests., CC ID: 06388
  • Control and monitor all maintenance tools., CC ID: 01432
  • Control remote maintenance according to the system's asset classification., CC ID: 01433
  • Conduct offsite maintenance in authorized facilities., CC ID: 16473
  • Conduct maintenance with authorized personnel., CC ID: 01434
  • Respond to maintenance requests inside the organizationally established time frame., CC ID: 04878
  • Acquire spare parts prior to when maintenance requests are scheduled., CC ID: 11833
  • Perform periodic maintenance according to organizational standards., CC ID: 01435
  • Calibrate assets according to the calibration procedures for the asset., CC ID: 06203
  • Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system., CC ID: 10616


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should take appropriate measures having regard to common issues that could lead to disruptions of e-banking. Moreover, AIs should implement proper precautionary measures before and during scheduled maintenance or drills (see Annex C for examples of precautionary measures). (§ 9.5.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • To ensure the continued availability of AIs’ technology related services, AIs should maintain and service IT facilities and equipment (e.g. computer hardware, network devices, electrical power distribution, UPS and air conditioning units) in accordance with the industry practice, and suppliers’ … (5.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number V.1(1): The organization must develop maintenance rules and procedures, and they must be approved by the person responsible for maintenance. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number V.1(2):… (App 2-1 Item Number V.1(1), App 2-1 Item Number V.1(2), App 2-1 Item Number V.2(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O59: The organization shall define procedures for maintaining devices, which should include implementing maintenance and inspections and indentifying inspection items and results. O59.1: The organization should develop maintenance programs based on the necessity and usage of each device and how prep… (O59, O59.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Development of maintenance programs (P51.4. ¶ 1(4), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In cases where maintenance is performed on some component device while the system is in operation, the maintenance work should be conducted by precisely following the procedures specified to protect the operating system against possible effects and in the presence of staff responsible for the device… (P54.7., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An FI may employ a number of complex interdependent systems and network components for its IT processing. An entire system can become inoperable when a single critical hardware component or software module malfunctions or is damaged. The FI should develop built-in redundancies to reduce single point… (§ 8.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment. (Security Control: 0310; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Maintenance and repairs on equipment should be conducted onsite by a cleared technician, if possible. (Control: 0305, Australian Government Information Security Manual: Controls)
  • The Key Management Plan should include procedures for maintaining the cryptographic hardware and cryptographic software. (Control: 0510 Table Row "Maintenance", Australian Government Information Security Manual: Controls)
  • expectations with respect to the maintenance of information security when using third parties and related parties; (21(f)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Acquisition and implementation controls would typically be in place to ensure that the IT security of the technology environment is not compromised by the introduction of new IT assets. Ongoing support and maintenance controls would typically be in place to ensure that IT assets continue to meet bus… (¶ 54, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Maintenance to equipment containing classified information should done on site. If the equipment containing classified information needs to be taken off site, it should be sanitized and declassified or escorted at all times by appropriately cleared personnel who understand the repairs being made. Fo… (§ 3.4.21, § 3.4.23, § 3.4.24, Australian Government ICT Security Manual (ACSI 33))
  • Do secondary systems undergo thorough security maintenance, including abiding by all security policies and procedures? (Table Row XII.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Define and implement procedures to ensure timely maintenance of infrastructure to reduce the frequency and impact of failures or performance degradation. (DS13.5 Preventive Maintenance for Hardware, CobiT, Version 4.1)
  • Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives. (§ 3 Principle 11 Points of Focus: Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, COSO Internal Control - Integrated Framework (2013))
  • The resilience of technical infrastructure should be improved by applying standard servicing and maintenance disciplines, which include servicing equipment in accordance with manufacturers' recommended service intervals. (CF.20.03.08b, The Standard of Good Practice for Information Security)
  • The resilience of technical infrastructure should be improved by applying standard servicing and maintenance disciplines, which include servicing equipment in accordance with manufacturers' recommended service intervals. (CF.20.03.08b, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel. (BCR-07, Cloud Controls Matrix, v3.0)
  • ¶ 8.1.5(4) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(4), ¶ 10.3.2, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The organization shall establish maintenance activities requirements, including the frequency, when the product's quality is affected by these activities or a lack of them. (§ 6.3 ¶ 2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall implement procedures to correct random faults. (§ 6.4.10.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall implement procedures for the scheduled replacement of system elements. (§ 6.4.10.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Outsourced service providers should ensure procedures and policies are implemented so computing and related equipment necessary for continuity and recovery needs are installed, operated, and maintained in optimal condition. Policies and procedures should exist for all computing and related equipment… (§ 6.14.5, § 7.6.1, § 7.6.2, § 7.6.4, § 7.6.10, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.11.2.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • To ensure equipment will be available and operating correctly, proper maintenance should be performed. When maintenance is performed on equipment containing sensitive information, appropriate controls should be in place to prevent the unauthorized disclosure of information. (§ 9.2.4, ISO 27002 Code of practice for information security management, 2005)
  • actively contribute to conserving and restoring these systems. (§ 6.11.3.1 ¶ 1 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • are maintained to ensure their continuing fitness for their purpose. (7.1.5.1 ¶ 2(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Equipment should be correctly maintained to ensure its continued availability and integrity. (§ 11.2.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. (§ 7.13 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 ¶ 2 Bullet 4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Policies, standards and procedures for the maintenance of assets include, but are not limited to, physical entry controls, equipment maintenance and removal of assets. (PR.MA-1.1, CRI Profile, v1.2)
  • Policies, standards and procedures for the maintenance of assets include, but are not limited to, physical entry controls, equipment maintenance and removal of assets. (PR.MA-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Procedures exist to maintain system components, including configurations that are consistent with the system security policies. (Security Prin. and Criteria Table § 3.12, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to maintain system components, including configurations that are consistent with the system availability and related security policies. (Availability Prin. and Criteria Table § 3.15, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to maintain system components, including configurations that are consistent with the system processing integrity and related security policies. (Processing Integrity Prin. and Criteria Table § 3.16, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to maintain system components, including configurations that are consistent with the system confidentiality and related security policies. (Confidentiality Prin. and Criteria Table § 3.18, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, Trust Services Criteria)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 ¶ 2 Bullet 4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, Trust Services Criteria, (includes March 2020 updates))
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and (Section 4.C ¶ 1(4)(c), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Each Responsible Entity shall implement one or more documented Physical Access Control System maintenance and testing program(s) that collectively include each of the applicable requirement parts in CIP-006-6 Table R3 – Maintenance and Testing Program. [Violation Risk Factor: Medium] [Time Horizon… (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Physical Security of BES Cyber Systems CIP-006-6, Version 6)
  • That preventative maintenance schedules should be developed for cleaning and maintaining the HVAC system. (Pg 21, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002)
  • CSR 1.9.4(3): The organization must document the software/hardware installation and maintenance, including review and testing of security features and patch management. CSR 5.9.9: The organization must use measures and automated mechanisms to verify that maintenance is scheduled and conducted as re… (CSR 1.9.4(3), CSR 5.9.9, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Verify the organization schedules, performs, and documents routine preventative and regular maintenance on the components of the Information System in accordance with manufacturer or vendor specifications and/or organizational requirements. (COMS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • If an uncleared person conducts the maintenance, he/she must be escorted; the maintenance work must be done on an unclassified copy of the operating system; nonvolatile data storage must be removed or disconnected; his/her activities must be recorded in the maintenance log; and keystroke monitoring … (§ 8-304, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • § 820.70(g)(1): A medical device manufacturer shall establish and maintain maintenance schedules for adjusting, cleaning, and other maintenance. The maintenance activities, along with the date completed and the name(s) of the individual(s) who performed the maintenance, shall be documented. § 820.… (§ 820.70(g)(1), § 820.200(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Records must be maintained of all maintenance, calibration, and testing of security equipment. The records must contain the date and time the work was done; the name and qualifications of the individual(s) who did the work; and the specific security equipment involved in repair, calibration, or test… (§ 27.255(a)(4), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • Day-to-day operation and maintenance of infrastructure components. (App A Objective 2:9c Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Appropriate preventive maintenance or operational restoration processes for equipment within the facilities that support the entity's business objectives. (VI.B Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The preventive maintenance program should include supporting equipment, such as temperature and humidity controls and alarms. (Pg C-7, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Preventive maintenance should not be performed by computer operators, except for cleaning equipment and cleaning the operations center. All maintenance contracts should guarantee timely performance. (Pg 20, Pg 21, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Calls for routine periodic preventive maintenance of hardware. It does not discuss maintenance agreements but does pay special attention to the need for maintenance schedules to interrupt operations as little as possible. (SC-2.4, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider must define a list of the security-critical Information System components and/or key Information Technology components that require timely maintenance. (Column F: MA-6, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the list of security-critical Information System components and key Information Technology components that require timely maintenance. (Column F: MA-6, FedRAMP Baseline Security Controls)
  • The organization must develop, document, distribute, and continuously update a maintenance policy and procedures for implementing the maintenance security controls. (§ 5.6.9, Exhibit 4 MA-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union have a formal, written policy for how networked applications are approved, prioritized, acquired, developed, and maintained? (IT - Networks Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities]. (MA-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization must maintain the authentication system after it has been selected and installed. The organization should develop a maintenance plan or have one provided by the vendor long before the system is installed. (§ 8.4 ¶ 1, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the information system maintenance policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the information system maintenance policy and… (MA-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizations should define a maintenance plan for each maintenance group for each applicable risk response scenario. A maintenance plan defines the actions to be taken when a scenario occurs for a maintenance group, including the timeframes for beginning and ending each action, along with any other… (3.5 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Organizations should closely track and monitor all exceptions to maintenance plans. As explained in Section 3.4, maintenance groups should be defined to minimize assets considered "exceptions." However, having some exceptions is inevitable. All exceptions to maintenance plans should be reviewed regu… (3.5.5 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Ensure all systems security operations and maintenance activities are properly documented and updated as necessary. (T0085, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Consult with customers about software system design and maintenance. (T0311, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop and implement a smart grid information system maintenance security policy. (SG.MA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system maintenance security policy must include the objectives, roles, and responsibilities of the program. (SG.MA-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system maintenance security policy must include the scope of the program. (SG.MA-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should require maintenance personnel to notify the smart grid Information System Administrator of when remote maintenance will occur. (SG.MA-6 Additional Considerations A2.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop policies and use automated mechanisms to ensure that periodic maintenance is scheduled and conducted as required, and that a log of needed and completed maintenance actions is up to date, accurate, complete, and available. (App F § MA-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented information system maintenance policy that includes the purpose, roles, responsibilities, scope, coordination among entities, compliance, and management commitment. (App F § MA-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures to implement the information system maintenance policy and its associated controls. (App F § MA-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must control on-site maintenance activities and remote maintenance activities. (App F § MA-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Ensure all systems security operations and maintenance activities are properly documented and updated as necessary. (T0085, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Consult with customers about software system design and maintenance. (T0311, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (MA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. (MA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (MA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. (MA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (MA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. (MA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (MA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. (MA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities]. (MA-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities]. (MA-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop and implement a maintenance program to ensure security systems are in good working order. (Table 1: Equipment Maintenance and Testing Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Through routine use or quarterly examination, verify the proper operation and/or condition of all security equipment. (Table 1: Equipment Maintenance and Testing Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures. (Section 27-62-4(c)(4) c., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Detection, prevention and response to attacks, intrusions or other systems failures; (Part VI(c)(3)(D)(iii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Detecting, preventing, and responding to an attack, intrusion, or other system failure. (§ 8604.(c)(4) c., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and (§431:3B-202(b)(4)(C), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Procedures for detecting, preventing, and responding to cybersecurity events or other systems failures. (Sec. 17.(4)(C), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Detection, prevention, and response to an attack, intrusion, or other system failure. (507F.4 3.d.(3), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures. (§2504.C.(4)(c), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Detecting, preventing and responding to attacks, intrusions or other system failures; and (§2264 3.D.(3), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures. (Sec. 555.(3)(d)(iii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • detecting, preventing, and responding to attacks, intrusions, or other systems failures; and (§ 60A.9851 Subdivision 3(4)(iii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Detecting, preventing and responding to attacks, intrusions or other systems failures; and (§ 83-5-807 (3)(d)(iii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures. (§ 420-P:4 III.(d)(3), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and (26.1-02.2-03. 3.d.(3), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures. (Section 3965.02 (C)(4)(c), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • detecting, preventing, and responding to attacks, intrusions, or other systems failures; and (SECTION 38-99-20. (C)(4)(c), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Detection, prevention, and response to attacks, intrusions, or other information systems failures; and (§ 56-2-1004 (3)(D)(iii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Processes for detecting, preventing, and responding to attacks, intrusions, and other system failures. (§ 601.952(2)(c)3., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)