IT equipment such as servers, laptops, network devices, and printers are vital to many information processing operations such as storage, use, and transfer of information assets. However, if this equipment is not maintained taking into account product specifications and environmental risks, it may degrade in quality and performance. This lack of maintenance may result in the compromise of availability, integrity, and confidentiality of information assets stored on this equipment. For example, if an organisation fails to perform regular maintenance on server hardware, it may not recognize that the disk space is full. This may result in loss of data transmitted to or out of the server. Furthermore, employees or external service providers may gain access to IT equipment as part of the maintenance procedure and this may also present risks to the confidentiality of sensitive information. For instance, an external maintenance service provider may gain access to sensitive information stored on laptops or install malware into devices. The organisation can establish and implement appropriate procedures and measures for the proper maintenance of equipment so that the information assets stored on this equipment are not compromised.
- Maintenance is considered as the set of all actions which have as an objective to retain an item (or the whole system) in, or restore to, a state in which it can perform the required function. The actions include the combination of all technical and related administrative, managerial, and supervisory actions such as tests, measurements, replacements, adjustments
- and repairs. Maintenance is distinguished as:
- Preventive, which aims in retaining the system’s capabilities before the occurrence of any problem (e.g. system failure).
- Corrective, which aims in restoring the defective item(s) to the required state.
- Adaptive, which focus in adjusting an equipment to properly interface with a changing environment.
- Perfective, which refers to enhancements to the product in order to either add new capabilities or modify existing functions.
Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.
To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations caused by lack of maintenance.
ISO 27002 Implementation Guidance
The following guidelines for equipment maintenance should be considered:
- maintaining equipment in accordance with the supplier’s recommended service frequency and specifications;
- implementing and monitoring of a maintenance program by the organization;
- only authorized maintenance personnel carrying out repairs and maintenance on equipment;
- keeping records of all suspected or actual faults, and of all preventive and corrective maintenance;
- implementing appropriate controls when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization, subjecting the maintenance personnel to a suitable confidentiality agreement;
- supervising maintenance personnel when carrying out maintenance on site;
- authorizing and controlling access for remote maintenance;
- applying security measures for assets off-premises if equipment containing information is taken off premises for maintenance;
- complying with all maintenance requirements imposed by insurance;
- before putting equipment back into operation after maintenance, inspecting it to ensure that the equipment has not been tampered with and is functioning properly;
- applying measures for secure disposal or re-use of equipment if it is determined that equipment is to be disposed of.
Equipment includes technical components of information processing facilities, uninterruptible power supply (UPS) and batteries, power generators, power alternators and converters, physical intrusion detection systems and alarms, smoke detectors, fire extinguishers, air conditioning and lifts.
The organisations are to put in place necessary technical measures and procedures to carry out proper maintenance activities on equipment used to store information assets.These measures and procedures provide assurance that information assets are not lost or damaged, and they are not exposed to the risk of compromise such as unauthorised access. The organization must create a list of equipment, carrying out a risk assessment based on environmental factors and product specifications and establishing and implementing suitable procedures and measures for proper maintenance.The following are considered equipment :
- Technical components of information processing facilities
- Fire extinguishers
- Power converters
- Air conditioners
- Similar assets
The organization to consider the following specific recommendations:
- Maintenance procedures should conform to the equipment manufacturer’s specifications such as recommended service frequency.
- Organisations should establish and apply a maintenance program for all equipment.
- Only the authorized personnel or third parties should be allowed to perform maintenance activities or repairs on equipment.
- Organisations should create and maintain a record of all equipment malfunctioning and faults. Furthermore, this record should also include all maintenance activities carried out on equipment.
- Organisations should apply suitable measures during the performance of maintenance, considering whether the maintenance is performed by an employee or a third-party service provider. Furthermore, the relevant personnel should sign a confidentiality agreement.
- Personnel performing the maintenance work should be supervised at all times.
- Remote maintenance work should be subject to strict access and authorization procedures.
- If equipment is taken out of premises for maintenance work, organisations should apply appropriate security measures.
- Organisations should adhere to all requirements imposed by insurance providers on how to carry out maintenance.
- Organisations should inspect equipment that went through maintenance work to ensure that it is not tampered with and functions properly.
- If the equipment will be disposed of or reused, organisations should establish and implement suitable measures and procedures.
Steps to carry out Maintenance
1) Preparing: Since the Organization may possess information systems and tools purchased from different vendors in a long time period, an efficient record keeping of the systems in hand is essential for maintenance management; hence performing a hardware, software and telecommunications inventory is the first step of an efficient maintenance program. Appropriate maintenance of the records and transaction monitoring result to keeping the information up-to-date, which in turn allows statistical data extraction to be used as input to further consideration about system maintainability, sustainability and related costs. For record keeping, simple techniques like spreadsheets and custom databases may be used; for efficient monitoring of complex systems an integrated Asset Management tool is required. A data preservation survey must be conducted, indicating volumes, importance and retention period of data, which in turn results to decisions about data retention periods, backups and requirements on availability and security. Finally, simple and consistent processes must be defined for issues reporting and restoring activities.
2) Obtain a good and detailed system documentation:A well documented system (covering the entire architecture as well as all of its elements) is very important, especially for software maintenance. Furthermore, an updated documentation, reflecting the changes derived from the maintenance activities, should be provided for future purposes. Good documentation aims in providing structured instead of unstructured maintenance:
- Unstructured maintenance wades straight into the source code and makes changes based on that alone
- Structured maintenance examines and modifies the original design, and then reworks the code to match it
Clearly structured maintenance is a more reliable and (usually) a more efficient process. Unfortunately, it’s not possible without detailed design documentation.
3) Prioritizing needs: Maintenance costs are a significant part of the system’s total life cycle costs. Therefore, revision of the business non-functional requirements (such as availability, performance etc) for each part of the system is essential before any signing a new maintenance contract in order to keep Organization’s costs within affordable barriers.
4) Contracting: Maintenance contracts may be signed with the Equipment providers who supplied the equipment system or third parties who are in possession of the appropriate infrastructure. Increasing the number of contracts and contractors increases complexity and may cause administrative problems; hence it is advisable to review and consolidate maintenance contracts regularly, possibly achieving significant cost reductions as well.
5) Hardware Inventory includes:
- Enterprise level servers, disk storage equipment
- Distributed servers, disk storage and network communications equipment (LAN)
- Local Desktop Devices, Laptops, Cell Phones, PDA’s, etc.
- UPS, Generators, Emergency Power Systems
- Associated Maintenance Agreements
- System Documentation
6) Software Inventory includes:
- Verification of the type of license and transferability (e.g. Master License Agreement, Academic License Agreement, etc)
- Enterprise level commercial-off-the-shelf (COTS) software licenses, installation media and documentation.
- Custom developed software, configuration management libraries & procedures, binary images, documentation and all project related material.
- Distributed COTS software licenses, installation media and documentation
- Local COTS software licenses, installation media and documentation
- Software and Associated Maintenance Agreements
- Transference to New Dept or Local Entity
- System Documentation
- Version Control
- Configuration Management
7) Telecommunications Inventory includes:
- Network Equipment (leased, financed or owned), Maintenance Agreements and Circuits
- PBX, Switches
- Racks and Other Peripherals
- Circuits, Service Providers, Maintenance and Monitoring Contracts
- Point-to-Point Connections
- Impact on internal and external entities if services are terminated
8) Scheduling: Maintenance activities scheduling takes place only for preventive maintenance, which is performed during planned outage periods. Preventive maintenance has the following objectives:
- Keeping equipment and facilities in satisfactory operating condition by providing for systematic inspection, detection, and correction of incipient failures either before they occur or before they develop into major defects.
- Maintenance, including tests, measurements, adjustments, and parts replacement, performed specifically to prevent faults from occurring.
9) Monitoring: Maintenance Activities must be monitored. Related transaction data serve in the calculation of the penalties (if applicable), tracing of the costs etc, whereas statistical data contribute to decisions about system maintainability, sustainability or upgrade needs.