Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-3(3)

maintenance tools  | prevent unauthorized removal 

assessment objective:

Determine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

ma-3(3)(a)

verifying that there is no organizational information contained on the equipment;

ma-3(3)(b)

sanitizing or destroying the equipment;

ma-3(3)(c)

retaining the equipment within the facility; or

ma-3(3)(d)

ma-3(3)(d)[1]

defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; and

ma-3(3)(d)[2]

obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing information system maintenance tools; information system maintenance tools and associated documentation; maintenance records; equipment sanitization records; media sanitization records; exemptions for equipment removal; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization].

Test: [select from: Organizational process for preventing unauthorized removal of information; automated mechanisms supporting media sanitization or destruction of equipment; automated mechanisms supporting verification of media sanitization].