Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-4

nonlocal maintenance

assessment objective:

Determine if the organization:

ma-4(a)  

ma-4(a)[1]

approves nonlocal maintenance and diagnostic activities;

ma-4(a)[2]

monitors nonlocal maintenance and diagnostic activities;

ma-4(b)

allows the use of nonlocal maintenance and diagnostic tools only:

ma-4(b)[1]

as consistent with organizational policy;

ma-4(b)[2]

as documented in the security plan for the information system;

ma-4(c)

employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

ma-4(d)

maintains records for nonlocal maintenance and diagnostic activities;

ma-4(e)

ma-4(e)[1]

terminates sessions when nonlocal maintenance or diagnostics is completed; and

ma-4(e)[2]

terminates network connections when nonlocal maintenance or diagnostics is completed.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing nonlocal information system maintenance; security plan; information system design documentation; information system configuration settings and associated documentation; maintenance records; diagnostic records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for managing nonlocal maintenance; automated mechanisms implementing, supporting, and/or managing nonlocal maintenance; automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; automated mechanisms for terminating nonlocal maintenance sessions and network connections].