Skip to main content

This section of the ISM provides guidance on ICT equipment maintenance and repairs.

Maintenance and repairs of high assurance ICT equipment

Due to the nature of high assurance ICT equipment, it is important that that ACSC’s approval is sought before any maintenance or repair work is undertaken.

Security Control: 1079; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment.

On-site maintenance and repairs

Making unauthorised repairs to ICT equipment could impact its integrity. As such, using cleared technicians to maintain and repair ICT equipment on-site is considered the most secure approach. This ensures that if information is disclosed during the course of maintenance or repairs, the technicians are aware of the requirements to protect such information.

Organisations choosing to use uncleared technicians to maintain or repair ICT equipment should be aware of the requirement for cleared personnel to escort uncleared technicians during maintenance or repair activities.

Security Control: 0305; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS
Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician.

Security Control: 0307; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken.

Security Control: 0306; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:

  • is appropriately cleared and briefed
  • takes due care to ensure that information is not disclosed
  • takes all responsible measures to ensure the integrity of the ICT equipment
  • has the authority to direct the technician
  • is sufficiently familiar with the ICT equipment to understand the work being performed.

Off-site maintenance and repairs

Organisations choosing to have ICT equipment maintained or repaired off-site should be aware of requirements for the external company’s facilities to be approved to do so based on the sensitivity or classification of the ICT equipment.

Organisations choosing to have ICT equipment maintained or repaired off-site can sanitise the ICT equipment prior to transport, and subsequent maintenance or repair activities, to lower (depending on the types of media involved) its physical transfer and storage requirements.

Security Control: 0310; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment.

Maintenance and repair of ICT equipment from secured spaces

When ICT equipment resides in an area that also contains ICT equipment of a higher classification, a technician could modify the lower classified ICT equipment in an attempt to compromise co-located ICT equipment of a higher classification.

Security Control: 0944; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to.

Inspection of ICT equipment following maintenance and repairs

Following the maintenance or repair of ICT equipment (either on-site or off-site), it is important that the ICT equipment is inspected to ensure that it retains its approved software configuration and that no unauthorised modifications (either accidental or deliberate) have been made by technicians.

Security Control: 1598; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place.

Further information

Further information on the sanitisation of ICT equipment can be found in the ICT equipment sanitisation and disposal section of these guidelines.

Further information on the sanitisation of media can be found in the media sanitisation section of the Guidelines for Media.

Further information on the storage and transfer of ICT equipment can be found in AGD’s PSPF, Physical security for entity resources policy, at https://www.protectivesecurity.gov.au/physical/physical-security-entity-resources/Pages/default.aspx.