Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools

PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

Maturity Level 1

Maturity Level 2

Maturity Level 3

PR.MA-1.1

PR.MA-1.1: Patches and security updates for Operating Systems and critical system components shall be installed.

Limit yourself to only install those applications (operating systems, firmware, or plugins ) that you need to run your business and patch/update them regularly.
You should only install a current and vendor-supported version of software you choose to use. It may be useful to assign a day each month to check for patches.
There are products which can scan your system and notify you when there is an update for an application you have installed. If you use one of these products, make sure it checks for updates for every application you use.
Install patches and security updates in a timely manner.

Description

Patches and security updates for Operating Systems and critical system components shall be installed.

PR.MA-1.2

PR.MA-1.2: The organization shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools.

Perform security updates on all software in a timely manner.
Automate the update process and audit its effectiveness.
Introduce an internal patching culture on desktops, mobile devices, servers, network components, etc. to ensure updates are tracked.

Description

The organization shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools.

PR.MA-1.3

PR.MA-1.3: The organization shall enforce approval requirements, control, and monitoring of maintenance tools for use on the its critical systems.

Maintenance tools can include, for example, hardware/software diagnostic test equipment, hardware/software packet sniffers and laptops.

Description

The organization shall enforce approval requirements, control, and monitoring of maintenance tools for use on the its critical systems.

PR.MA-1.4

PR.MA-1.4: The organization shall verify security controls following hardware maintenance or repairs, and take action as appropriate.

Description

The organization shall verify security controls following hardware maintenance or repairs, and take action as appropriate.

PR.MA-1.5

PR.MA-1.5: The organization shall prevent the unauthorized removal of maintenance equipment containing organization's critical system information.

This requirement maily focuses mainly on OT/ICS environments.

Description

The organization shall prevent the unauthorized removal of maintenance equipment containing organization's critical system information.

PR.MA-1.6

PR.MA-1.6: Maintenance tools and portable storage devices shall be inspected when brought into the facility and shall be protected by anti-malware solutions so that they are scanned for malicious code before they are used on organization's systems.

Description

Maintenance tools and portable storage devices shall be inspected when brought into the facility and shall be protected by anti-malware solutions so that they are scanned for malicious code before they are used on organization's systems.

PR.MA-1.7

PR.MA-1.7: The organization shall verify security controls following hardware and software maintenance or repairs/patching and take action as appropriate.

Description

The organization shall verify security controls following hardware and software maintenance or repairs/patching and take action as appropriate.