IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.4 Maintenance/repair regulations
Initiation responsibility: Head of IT section
Implementation responsibility: Head of IT Section, Administrator, IT users
As a precautionary measure to safeguard IT systems against failure, proper
performance of maintenance work is of particular importance. Timely
initiation and monitoring the execution of maintenance work should be
ensured by a central unit (e.g. procurement office). Maintenance work should
be carried out by trustworthy persons or companies.
In-house maintenance and repair
Supervisory regulations must be laid down for maintenance and repair work,
especially if this is carried out by external staff: A competent person should
supervise this work in such a way that he/she can assess whether unauthorised
actions occur during such maintenance/repair. In addition, it must be verified
whether the required maintenance has actually been carried out.
The following measures before and after maintenance/repair work must
be planned:
- The relevant staff members must be informed of the measures.
- Maintenance engineers must, upon request, establish their identity.
- Data access by the maintenance engineer must be avoided to the extent
possible. If and where required, data media should be previously removed
or deleted (after complete backup), especially when such work is carried
out externally. If deletion is not possible (e.g. because of a defect), such
work must be monitored also externally or specific contractual
arrangements must be made.
- The entry and access permissions granted to maintenance engineers are to
be confined to the absolute minimum and must be revoked or cancelled
after such work.
- Upon completion of maintenance or repair work, changes to the passwords
will be required depending on the "penetration depth" afforded to
maintenance staff. With regard to PCs, it might be expedient to make a
computer virus check.
- The maintenance work carried out must be documented (scope, results,
time, possibly the name of the maintenance engineer).
External maintenance and repairs
If IT systems are sent away for maintenance or repair, all sensitive data on the
data-medium must first be physically deleted. If this is not possible due to a
defect preventing access to the data medium, the company responsible for the
repairs is obliged to comply with the necessary IT-security measures. The
contractual regulations should comply with S 3.2 (Commitment of staff
members to compliance with relevant laws, regulations and provisions)
regarding the secrecy of data. In particular, data stored externally during
maintenance must be erased meticulously after work has been completed. The
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000