维护
概述
This updated standard is to help align existing practices within Office of Information Technology (OIT) around maintenance controls to the requirements in NIST 800-171 (MA | 3.7.x) as well as industry best practices. This document does not give full coverage of 3.7.x controls within 171 due to existing limitations and other requirements that are specific to CUI.
What is in this document:
- 修补的要求
- Access control tie-in for remote maintenance
- 安全 requirements for third party repairs
What is NOT in this document:
- Patching procedures or methods
- 远程维护 procedures or methods
- Approved third party repair providers
政策参考
APM 30.11 University Data Classification and 标准
APM 30.12 Acceptable Use of Technology 资源
APM 30.14 Cyber Incident Reporting and Response
APM 30.15 Password and Authentication Policy
目的
This Identification and Authentication standard supports APM 30.11 University Data Classification and 标准, and other relevant university policies.
范围
These 标准 are the minimum baseline for all managed and unmanaged systems that access, 商店, or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.
标准
Only run operating systems which are currently supported and patched. 应用 security patches to address flaws in systems and applications automatically, or within 10 days.
- Patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by the OIT 安全 Office and all affected data and system owners.
Applies to: Low / Moderate / High
Authentication for remote maintenance must go through authenticated channels compliant with 访问控制 and Identification and Authentication standards.
Applies to: Low / Moderate / High
- Prior to sending equipment back to vendors or third parties for repairs that are unable to be done in-house, systems must be sanitized using the standards described in 媒体保护
适用于:高
- Prior to sending equipment back to vendors or third parties for repairs that are unable to be done in-house, systems must be either encrypted using OIT-Managed encryption or sanitized using the standards described in 媒体保护.
适用于:中等
- 键, passwords or other authentication secrets for accessing university technology resources must not be shared with third parties, 按照APM 30的要求.15.
Applies to: Low / Moderate / High
- Temporary credentials assigned only to vendor must be used if access is required to perform or validate repairs.
- Any maintenance on site by third parties must be supervised unless operating under an approved contract.
适用于:中等 / High
其他参考资料
1. NIST sp800 - 171 r2 (2020年2月)
2. NIST SP800-53r5 (2020年9月)
定义
1. 安全补丁
Updates or fixes released by vendors to resolve a security vulnerability.
2. 远程维护
Accessing a system via a network connection for the purpose of working on the system itself.
3. 第三方
Any entity that is not an owner, user or otherwise authorized individual within a system. This may include university affiliates that are not authorized for a specific system.
标准的主人
OIT 安全 is responsible for the content and management of these standards.
To request an exception to this standard.
联系人: oit-security@rnveurope.com
修订历史
3/1/2024 — Minor updates
- Minor formatting/wording/reference changes.
6/23/2023 — Original standard
- Full re-write to align with NIST 800-171r2