The maintenance policy establishes rules for how an information system should be managed specific to information security. There will be additional policies maintained by an IT organization around operations and maintenance.

What the maintenance policy should address:

• Performing periodic and timely maintenance on organizational information systems
• Providing effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance
• Ensuring equipment removed for off-site maintenance is sanitized of any information
• Checking media containing diagnostic and test programs for malicious code before the media is used in the information system
• Requiring multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete
• Supervising the maintenance activities of maintenance personnel without required access authorization