3.7.5—Maintenance - Derived
Derived Requirement
>Control Description
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
>Discussion
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern nonlocal maintenance?
- •What approval process exists for remote maintenance?
- •How do you ensure remote maintenance is authorized?
- •Who monitors nonlocal maintenance sessions?
- •What governance controls remote maintenance access?
Technical Implementation:
- •What technical controls secure nonlocal maintenance?
- •How do you implement secure remote maintenance channels?
- •What authentication and encryption protect remote sessions?
- •How do you monitor and log remote maintenance activities?
- •What mechanisms terminate remote maintenance access after use?
Evidence & Documentation:
- •Can you provide remote maintenance approvals?
- •What logs track nonlocal maintenance sessions?
- •Can you demonstrate secure remote maintenance connections?
- •What evidence shows remote maintenance is controlled?
- •What audit findings verify nonlocal maintenance compliance?
Ask AI
Configure your API key to use AI features.