3.7.2 — Provide Controls on the Tools, Techniques, Mechanisms, and Personnel Used to Conduct System Maintenance

This practice asks you to keep a handle on who does maintenance and what tools they use. You cannot just let a vendor walk in with their own laptop and plug into your network without any oversight.

Example 1: Maintain an approved tools list — document that your team uses specific versions of tools like PuTTY, WinSCP, or manufacturer diagnostic software. Store approved copies on a controlled network share and prohibit technicians from using personal thumb drives or unapproved utilities.

Example 2: Require vendor technicians to use a company-provided jump box or a supervised remote session (e.g., BeyondTrust Privileged Remote Access) rather than their own equipment. Log every session and review the recordings periodically.