Equipment Maintenance
Description
Equipment shall be maintained correctly to ensure the availability, integrity, and confidentiality of information.
⚠️ Risk Impact
Maintenance windows are opportunity windows. Servers removed for repair often retain data. Equipment serviced by third parties enters their physical custody temporarily.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as low-severity findings with remediation guidance.
🔧 Remediation
Document maintenance schedule. Pre-maintenance data sanitisation (cryptographic erasure). Maintenance log with technician identity + actions taken. Third-party maintenance under NDA + chain-of-custody.
💀 Real-World Attack Scenario
A datacenter's storage array was serviced by an OEM technician without supervision. The technician (later found to be conducting industrial espionage) copied unencrypted maintenance-mode disk images during service. The breach was detected only when stolen data appeared on a competitor's product 9 months later.
💰 Cost of Non-Compliance
Third-party-maintenance incidents: low frequency, high per-incident cost (avg $5.8M, CISA 2024 data).
📋 Audit Questions
- 1.Maintenance schedule documentation?
- 2.Pre-maintenance sanitisation procedure?
- 3.Third-party maintenance contracts include NDA + chain-of-custody?
- 4.Maintenance log evidence?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Third-party maintenance without supervision
- ⛔Pre-maintenance sanitisation skipped 'because it's just a hardware issue'
- ⛔Maintenance log incomplete
📈 Business Value
Documented equipment maintenance closes a low-frequency but high-impact attack vector.
⏱️ Effort Estimate
Per-event ~1 hour documentation
Manual process; EchelonGraph monitors maintenance-related events via integration with ticketing systems
🔗 Cross-Framework References
Automate ISO 27001 A.7.13 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →