Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-3

maintenance tools 

assessment objective:

Determine if the organization:

ma-3[1]

approves information system maintenance tools;

ma-3[2]

controls information system maintenance tools; and

ma-3[3]

monitors information system maintenance tools.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing information system maintenance tools; information system maintenance tools and associated documentation; maintenance records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for approving, controlling, and monitoring maintenance tools; automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools].