What are the requirements for system maintenance and updates under CPCSC?

CPCSC requires controlled maintenance through approved tools, patch management, change control, monitoring, and secure remote access with multi-factor authentication.

System maintenance and updates—including patching, upgrades, and modifications—are essential for security but also create risks if not properly controlled. CPCSC requires organizations to maintain systems securely while preventing maintenance activities from introducing vulnerabilities or disrupting protections.

Understanding maintenance requirements helps executives ensure systems remain secure, current, and properly controlled throughout their operational lifecycles.

Why Maintenance Security Matters

System maintenance creates security considerations distinct from normal operations. Vulnerabilities in unpatched systems are leading cause of breaches—adversaries actively exploit known vulnerabilities that patches address.

Maintenance access often requires privileged permissions creating opportunities for abuse by technicians or adversaries who compromise maintenance accounts. Maintenance tools themselves (diagnostic software, remote access tools, bootable media) can introduce malware or provide attack vectors.

Configuration changes during maintenance might inadvertently weaken security controls or create vulnerabilities. Maintenance windows when systems are offline, degraded, or in non-standard states may reduce security monitoring effectiveness.

Vendor or third-party maintenance personnel accessing systems introduce insider threat risks. Rushed or emergency maintenance under time pressure is error-prone and security shortcuts are tempting. Poor maintenance can cause system failures that impact availability of specified information systems. Proper maintenance security protects systems while enabling necessary operational activities.

ITSP.10.171 Maintenance Requirements

The Maintenance family includes multiple requirements:

• Approve, control, and monitor use of system maintenance tools including hardware/software diagnostic and testing equipment
• Check media containing diagnostic and test programs for malicious code before use in systems
• Prevent removal of system maintenance equipment containing specified information by verifying no specified information is present, sanitizing or destroying equipment, or retaining equipment within facility
• For non-local maintenance (remote maintenance), approve and monitor activities, implement multi-factor authentication and replay resistance for establishing sessions, and terminate session and network connections when completed

Organizations must balance enabling necessary maintenance with preventing maintenance-related security compromises. Documented maintenance procedures, security controls, and monitoring requirements provide framework for secure maintenance.

Patch Management

Keeping systems current with security patches is fundamental maintenance activity. The following elements are essential:

• Vulnerability monitoring tracks published vulnerabilities affecting organizational systems through vendor notifications, vulnerability databases (NVD, CVE), security mailing lists, and Cyber Centre alerts
• Patch assessment evaluates each patch for relevance (does it address vulnerability in systems we use), urgency (what is severity and exploitability), and compatibility (will it cause operational issues)
• Patch testing in non-production environments before production deployment verifies patches work as intended without breaking functionality
• Patch deployment using automated patch management tools where possible, following change management procedures, and scheduling during maintenance windows to minimize disruption
• Emergency patching for critical vulnerabilities might require expedited procedures when risk of exploitation exceeds risk of unscheduled maintenance
• Verification confirms patches were successfully applied through scanning or configuration checks
• Documentation tracks what patches were applied when, to what systems, with what authorization

Organizations should define patch deadlines based on severity—for example, critical patches within 15 days, high within 30 days, moderate within 60 days, with adjustments for systems handling specified information.

Change Management for Maintenance

Maintenance activities require formal change control. Key components include:

• Maintenance requests documenting what maintenance is needed, why, who is requesting it, and when it should occur
• Security review analyzing whether maintenance might impact security controls, introduce vulnerabilities, or require security considerations
• Risk assessment evaluating maintenance risks vs. risks of not performing maintenance
• Approval by appropriate authority based on risk level—routine patching might be delegated to IT management while major upgrades require senior approval
• Testing when feasible to verify maintenance won't cause problems
• Scheduling at appropriate times minimizing operational impact, coordinating with business units, and ensuring support is available
• Documentation of maintenance performed including what was done, when, by whom, and results
• Rollback planning enables reverting maintenance if problems occur
• Post-maintenance verification confirms systems are operating properly with security controls intact

Organizations should apply same change management rigor to maintenance as to other system changes—maintenance isn't exempt from change control.

Maintenance Tools and Media Security

Tools used for maintenance require security controls:

• Approved tool lists specifying what diagnostic, testing, or maintenance software/hardware is permitted, with others prohibited
• Tool inspection for malware scanning tools before use, obtaining tools from trusted sources, and verifying integrity
• Secure storage of maintenance tools in controlled areas preventing unauthorized access or tampering
• Media sanitization scanning bootable USB drives, CDs, or external drives for malware before use
• Tool monitoring and logging when maintenance tools are used, what actions they took, and who used them
• Removal restrictions for tools or equipment that accessed specified information requiring verification they don't contain specified information before leaving facility

Organizations should treat maintenance tools as potential attack vectors requiring equivalent security to production systems.

Remote Maintenance Security

Remote maintenance by vendors, support personnel, or internal staff requires heightened controls:

• Pre-approval for each remote maintenance session rather than standing remote access
• Multi-factor authentication required for all remote maintenance access
• Session monitoring and logging recording all remote maintenance activities for review
• Network segregation routing remote maintenance through dedicated access points or jump boxes rather than general network access
• Time limitations terminating remote access after defined period or when maintenance concludes
• Oversight by organizational personnel observing remote maintenance sessions when feasible
• Credential management for vendor remote access using unique individual credentials rather than shared accounts, temporary credentials expiring after use, and just-in-time provisioning

Organizations should balance convenience of remote maintenance (especially from geographically distant vendors) with security risks—for systems handling highly sensitive specified information, consider requiring on-site maintenance rather than remote access.

Vendor and Third-Party Maintenance

External maintenance personnel introduce security considerations:

• Contractual requirements specifying vendor security obligations, personnel security requirements, and maintenance procedures
• Escort requirements for vendor personnel accessing facilities, preventing unaccompanied access to sensitive areas or systems
• Background checks for vendor maintenance personnel with extensive or regular access
• Supervision of vendor activities monitoring what they're doing and preventing unauthorized actions
• Credential management providing temporary vendor accounts disabled after maintenance rather than permanent vendor access
• Non-disclosure agreements signed by vendor personnel
• Documentation requirements obligating vendors to document maintenance performed
• Verification of vendor identity confirming maintenance personnel are legitimate vendor employees not adversaries impersonating them

Organizations should flow security requirements to maintenance vendors through contracts and enforce requirements through oversight and monitoring.

Emergency Maintenance

Urgent maintenance situations require expedited but still controlled processes:

• Emergency change procedures allowing accelerated approval while maintaining accountability
• Communication of emergencies to stakeholders including management, business units, and security team
• Risk acceptance by appropriate authority acknowledging that emergency prevents full normal process
• Documentation of emergency maintenance captured as soon as feasible after urgent situation is resolved
• Post-incident review determining why emergency occurred and how to prevent future emergencies

Balance security and urgency recognizing that sometimes urgent security patching or critical system repairs take precedence over ideal procedures—but even emergencies should follow documented processes rather than ad-hoc decisions.

Organizations should define what constitutes emergency warranting expedited procedures vs. normal maintenance that can follow standard processes.

System Updates and Upgrades

Major updates or upgrades require more extensive planning than routine patches:

• Compatibility assessment determining impact on dependent systems, integrations, and customizations
• Security testing verifying upgrades don't introduce vulnerabilities or weaken security controls
• Functional testing ensuring upgrades work as intended without breaking required functionality
• Rollback planning and testing validating ability to revert to previous version if upgrade fails
• Phased deployment applying upgrades to test systems, then non-critical systems, then critical systems handling specified information
• Extended monitoring after upgrades detecting problems during stabilization period
• Training personnel on changes introduced by upgrades
• Documentation updates revising system documentation, procedures, and security plans to reflect upgraded systems

Organizations should plan major upgrades carefully recognizing they're riskier than routine patches—inadequate planning causes upgrade failures and potential security vulnerabilities.

Deferred Maintenance

Sometimes maintenance must be delayed for operational or technical reasons:

• Documented justification explaining why maintenance is deferred and what risks are accepted
• Compensating controls mitigating risks while maintenance is deferred—for example, network isolation for vulnerable systems that can't immediately be patched
• Management acceptance of deferred maintenance risks by appropriate authority
• Tracking deferred maintenance through plans of action and milestones (POA&M)
• Scheduled resolution with defined timeline for completing deferred maintenance
• Regular review of deferred maintenance ensuring temporary deferrals don't become indefinite neglect

Organizations should minimize deferred maintenance particularly for security patches addressing severe vulnerabilities in systems handling specified information—deferral should be rare exception, not common practice.

Maintenance Monitoring and Auditing

Maintenance activities require monitoring and oversight:

• Audit logging of maintenance actions including account usage, system changes, configuration modifications, and software installations
• Review of maintenance logs periodically examining what maintenance occurred, whether it followed approved procedures, and identifying anomalous activities
• Verification that security controls remain effective after maintenance through testing, scanning, or manual checks
• Metrics tracking maintenance volume, patch compliance rates, time to patch critical vulnerabilities, and maintenance-related incidents
• Incident investigation when maintenance causes problems or security issues determining root cause and preventive actions

Organizations should treat maintenance monitoring as security monitoring—maintenance is trusted activity but verification prevents abuse and ensures quality.

Maintenance Documentation

Comprehensive maintenance records support compliance and operations:

• Maintenance procedures documenting standard processes for patching, upgrades, and routine maintenance
• Maintenance schedules planning regular maintenance windows and activities
• Maintenance logs recording all maintenance performed with dates, personnel, actions, and results
• System documentation updated to reflect maintenance that changed system configurations or functionality
• Change records linking maintenance to formal change management approvals
• Training records showing maintenance personnel have appropriate skills and security training

During CPCSC Level 2 assessments, assessors will examine maintenance documentation as evidence that systems are properly maintained and that maintenance doesn't compromise security.

Organizations should develop systematic maintenance documentation practices integrated with change management and IT service management systems.

Learn More

Additional resources are available to help understand CPCSC maintenance requirements:

• Protecting Specified Information (ITSP.10.171)
• Canadian Program for Cyber Security Certification