S 2.4 Maintenance / repair regulations

Initiation responsibility: Head of IT

Implementation responsibility: Head of IT, User, Administrator

In order to prevent IT systems from malfunctioning, regular maintenance must be performed. A central location (e.g. the purchasing office) should be responsible for ensuring the maintenance work is initiated on time and performed correctly. In addition, the maintenance work should be performed by trustworthy persons or companies if it cannot be performed by the organisation's own personnel. The manufacturer's instructions absolutely must be followed when performing maintenance. Concluding a maintenance contract may be advantageous if regular maintenance work will be performed by external personnel.

The maintenance dates and the errors eliminated during maintenance should be documented for every IT system (e.g. using a device passport or a device and configuration management system). It is also recommended to set up an information system for maintenance and repair work. Such a system can be used to plan the pending tasks, document the work performed, and check whether the work was performed successfully.

In addition, it should be documented who is responsible for the maintenance or repair of devices and equipment.

Regular cleaning of IT devices

All types of IT devices should be cleaned regularly. The cleaning interval for such devices depends on the type of device and/or its application environment. However, the devices should be cleaned at least once per year, not only because it is unpleasant to work with dirty equipment, but also because dirt and grime may adversely affect its operability.

Examples: Keyboards should be cleaned when they become sticky or individual keys stick at the latest. The inside of a workstation PC should be dusted occasionally (once a year, for example), unless the manufacturer suggests a different approach. If printers are not cleaned regularly, the print quality may suffer, the functionality of some components could be restricted, or components may even become damaged. Typical problem areas include the print drums, print heads, and collections of toner dust.

An IT system that is too dusty may overheat. Dust and grime on circuit boards (a combination of dust with tar and nicotine residue is particularly potent) may cause leakage currents.

Deposits of dirt and grime should be removed regularly and with care. In particular, all IT systems should be supplied with effective ventilation. All fans and ventilation components should be free of dirt with the power of hindering the flow of air at all times.

When cleaning IT devices, it is absolutely necessary to follow the instructions of the manufacturer in terms of the cleaning procedures, the tools selected for cleaning, and the minimum maintenance intervals.

In-house maintenance and repair

For maintenance and repair work performed in-house, and especially if such work is performed by external personnel, regulations must be established regarding thesupervision of the work: while the work is being performed, a qualified person should supervise the work to the extent that they can assess if any unauthorised actions are performed while working. Furthermore, it should be checked if the work performed conforms to the scope of work agreed to in the maintenance contract.

The following actions to be taken before and after performing maintenance and repair work must be planned:

• The employees affected by the maintenance and repair work must be informed in due time.
• Maintenance technicians must provide identification when requested.
• Access to data by the maintenance technicians should be avoided to the greatest extent possible. If necessary, storage media should be removed or erased in advance (after making a full backup), especially if the work must be performed externally. If the media cannot be erased (due to a defect, for example), the work also must be monitored externally and/or trustworthy companies must be selected and special contractual agreements must be concluded.

• The site, system, and data access rights granted to maintenance technicians should be restricted to the absolute minimum, and these rights must be revoked and/or deleted after the work is complete.

• It may be necessary to change some passwords after performing maintenance or repair work, depending on the range of access granted to the maintenance personnel. PCs should be scanned for computer viruses.
• After the maintenance work is finished, the devices should be scanned for malware using an up-to-date computer virus scanning program.
• The maintenance work performed must be documented (including the scope, results, time, name of company, and possibly even the name of the maintenance technician).

• The companies contracted should guarantee in writing that they will follow the relevant security regulations and security guidelines (such as those for fire protection, VdS 2008 welding, soldering, cutting, and grinding work). This applies to all tasks that could result in a direct or indirect risk to buildings or human beings. Finally, it is important that the personnel working on-site are familiar with these regulations.

• After the maintenance or repair work is finished, the system should be checked to ensure it operates properly. In particular, it is necessary to check if the changes made for testing purposes were undone when the work was finished.

External maintenance and repair work

If IT systems are sent in for maintenance or repair, all sensitive data stored on data media must be physically deleted beforehand. If this is impossible, for example because the data media cannot be accessed any more due to a defect, the company contracted to do the repair work must agree to take the necessary information security safeguards. Contractual stipulations regarding the confidentiality of data must be agreed to by the company in accordance with S 3.55 Non-disclosure agreements (NDAs). It is especially important to specify that data stored externally in the context of maintenance must be deleted carefully after completing the maintenance work. Likewise, the duties and qualifications of the external maintenance personnel must be carefully determined.

When maintenance work is performed externally, it is necessary to document which IT systems or components were sent in for repair at what times and to whom, who approved the repair work, what was the purpose of the maintenance or repair task, by when the repair work should have been completed, and when the device was returned. For documentation purposes, each IT system or component must be labelled so that it is possible on the one hand to tell which organisation it belongs to, and on the other hand to clearly identify it within the organisation.

When mailing or shipping the components to be repaired, it should be ensured that precautions are taken to prevent damage and theft. If the IT system still contains sensitive information, it must be protected appropriately for shipping, for example by placing it in a locked container or by sending it via courier. Furthermore, verification of the shipment (repair contract, routing slip, shipping notes) and receipt by the company contracted (confirmation of receipt) must be documented and archived.

On IT systems protected by passwords, it is necessary to disclose all or some of the passwords or to set them to a specific value such as "REPAIR" so that the maintenance technicians can access the devices, depending on the scope of the repair work and the type of password protection.

Once the IT systems or components have been returned, they must be checked for completeness. All passwords must be changed. When PC data media are returned, they must be scanned for computer viruses using an up-to-date virus scanner. The integrity of all files and programs located on the repaired device must be checked.

Remote maintenance

Regulations for remote maintenance can be found in the safeguard S 5.33 Secure remote maintenance.

Review questions:

• Do the employees know that maintenance personnel must be supervised when working in-house?
• Are records made of the maintenance work performed?
• Is there a schedule for the maintenance work?