Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-5

maintenance personnel

assessment objective:

Determine if the organization:

ma-5(a)  

ma-5(a)[1]

establishes a process for maintenance personnel authorization;

ma-5(a)[2]

maintains a list of authorized maintenance organizations or personnel;

ma-5(b)

ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

ma-5(c)

designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for authorizing and managing maintenance personnel; automated mechanisms supporting and/or implementing authorization of maintenance personnel].