Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-4(5)

nonlocal maintenance  | approvals and notifications

assessment objective:

Determine if the organization:

ma-4(5)(a)  

ma-4(5)(a)[1]

defines personnel or roles required to approve each nonlocal maintenance session;

ma-4(5)(a)[2]

requires the approval of each nonlocal maintenance session by organization-defined personnel or roles;

ma-4(5)(b)

ma-4(5)(b)[1]

defines personnel or roles to be notified of the date and time of planned nonlocal maintenance; and

ma-4(5)(b)[2]

notifies organization-defined personnel roles of the date and time of planned nonlocal maintenance.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing non-local information system maintenance; security plan; notifications supporting nonlocal maintenance sessions; maintenance records; audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; organizational personnel with notification responsibilities; organizational personnel with approval responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for approving and notifying personnel regarding nonlocal maintenance; automated mechanisms supporting notification and approval of nonlocal maintenance].