UMGC Policy X-1.15

Maintenance of Information Systems and Technology Resources

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.15
Maintenance of Information Systems and Technology Resources

VP of Information Security

July 15, 2021

N/A

N/A

Annual

  1. Purpose

    The purpose of this policy is to establish information security standards for the Maintenance processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

  2. Scope and Applicability

    This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.

    2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

    3. Controlled Unclassified Information (CUI): A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. CUI includes Personally Identifiable Information (PII).

    4. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    5. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

    6. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

    7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.

    8. Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

    9. Multi-Factor Authentication (MFA): Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).

    10. Personally Identifiable Information (PII): Any information (i) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact information of an individual person can be derived.

    11. User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.

  4. Maintenance

    Information System Stewards or designee should adhere to the University's Maintenance Policy to ensure that security controls are in place to protect the routine maintenance activities that enable the University Information Systems to function correctly.

    1. Maintenance must be performed on University Information Systems. In general, system maintenance requirements tend to support the security objective of availability and typically directed at five specific areas of the information technology infrastructure: servers, desktops, backups, network, and security. This maintenance should include:

      • corrective maintenance (e.g., repairing problems with the technology),

      • preventative maintenance (e.g., updates to prevent potential problems),

      • adaptive maintenance (e.g., changes to the operative environment), and

      • perfective maintenance (e.g., improve operations).

    2. Controls must be provided on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. These controls include:

      • Protection of the tools performing maintenance. These tools should remain secure, so they do not introduce software viruses or other bugs into University Information Technology Resources.

      • Protection of maintenance processes so they are not used to harm University Information Technology Resources.

      • Supervision of any employee or contractor responsible for maintenance activities to ensure that they don't behave in a malicious manner.

    3. Multifactor Authentication (MFA) must be used whenever possible and reasonable to do so to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

    4. Maintenance activities of personnel without required access authorization must be supervised.

    5. Equipment removed for off-site maintenance must be sanitized of any Controlled Unclassified Information (CUI).

    6. Media containing diagnostic and test programs must be checked for malicious code before the media are used in organizational systems.

  5. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

  6. Enforcement

    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

  7. Related Policies

    1. UMGC X-1.02 Data Classification

    2. UMGC X-1.04 Information Security

    3. UMGC X-1.08 IT Resource Configuration Management

    4. UMGC X-1.10 Identity and Access Management

    5. UMGC X-1.14 Media Protection

    6. Asset Management

    7. System and Information Integrity

  8. Effective Date

    This policy is effective as of the date set forth above.