PS - Personnel Security
- Controls Count: 9
- Controls IDs: PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, PS-9
Controls
PS-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level personnel security policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;
Designate an an official to manage the personnel security policy and procedures is defined; to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
Review and update the current personnel security:
Policy the frequency at which the current personnel security policy is reviewed and updated is defined; and following events that would require the current personnel security policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current personnel security procedures are reviewed and updated is defined; and following events that would require the personnel security procedures to be reviewed and updated are defined;.
Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a personnel security policy is developed and documented;
the personnel security policy is disseminated to personnel or roles to whom the personnel security policy is to be disseminated is/are defined;;
personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;
the personnel security procedures are disseminated to personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses scope;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses roles;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level personnel security policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the personnel security policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;
the current personnel security policy is reviewed and updated the frequency at which the current personnel security policy is reviewed and updated is defined;;
the current personnel security policy is reviewed and updated following events that would require the current personnel security policy to be reviewed and updated are defined;;
the current personnel security procedures are reviewed and updated the frequency at which the current personnel security procedures are reviewed and updated is defined;;
the current personnel security procedures are reviewed and updated following events that would require the personnel security procedures to be reviewed and updated are defined;.
Personnel security policy
personnel security procedures
system security plan
privacy plan
risk management strategy documentation
audit findings
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel with information security responsibilities
PS-2: Position Risk Designation
Assign a risk designation to all organizational positions;
Establish screening criteria for individuals filling those positions; and
Review and update position risk designations the frequency at which to review and update position risk designations is defined;.
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
a risk designation is assigned to all organizational positions;
screening criteria are established for individuals filling organizational positions;
position risk designations are reviewed and updated the frequency at which to review and update position risk designations is defined;.
Personnel security policy
procedures addressing position categorization
appropriate codes of federal regulations
list of risk designations for organizational positions
records of position risk designation reviews and updates
system security plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel with information security responsibilities
Organizational processes for assigning, reviewing, and updating position risk designations
organizational processes for establishing screening criteria
PS-3: Personnel Screening
Screen individuals prior to authorizing access to the system; and
Rescreen individuals in accordance with organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening.
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.
individuals are screened prior to authorizing access to the system;
individuals are rescreened in accordance with conditions requiring rescreening of individuals are defined;;
where rescreening is so indicated, individuals are rescreened the frequency of rescreening individuals where it is so indicated is defined;.
Personnel security policy
procedures addressing personnel screening
records of screened personnel
system security plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel with information security responsibilities
Organizational processes for personnel screening
PS-4: Personnel Termination
Upon termination of individual employment:
Disable system access within a time period within which to disable system access is defined;;
Terminate or revoke any authenticators and credentials associated with the individual;
Conduct exit interviews that include a discussion of information security topics to be discussed when conducting exit interviews are defined;;
Retrieve all security-related organizational system-related property; and
Retain access to organizational information and systems formerly controlled by terminated individual.
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.
upon termination of individual employment, system access is disabled within a time period within which to disable system access is defined;;
upon termination of individual employment, any authenticators and credentials are terminated or revoked;
upon termination of individual employment, exit interviews that include a discussion of information security topics to be discussed when conducting exit interviews are defined; are conducted;
upon termination of individual employment, all security-related organizational system-related property is retrieved;
upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.
Personnel security policy
procedures addressing personnel termination
records of personnel termination actions
list of system accounts
records of terminated or revoked authenticators/credentials
records of exit interviews
system security plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Organizational processes for personnel termination
mechanisms supporting and/or implementing personnel termination notifications
mechanisms for disabling system access/revoking authenticators
PS-5: Personnel Transfer
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;
Initiate transfer or reassignment actions to be initiated following transfer or reassignment are defined; within the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;;
Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
Notify personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined; within time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;.
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;
transfer or reassignment actions to be initiated following transfer or reassignment are defined; are initiated within the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;;
access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;
personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined; are notified within time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;.
Personnel security policy
procedures addressing personnel transfer
records of personnel transfer actions
list of system and facility access authorizations
system security plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Organizational processes for personnel transfer
mechanisms supporting and/or implementing personnel transfer notifications
mechanisms for disabling system access/revoking authenticators
PS-6: Access Agreements
Develop and document access agreements for organizational systems;
Review and update the access agreements the frequency at which to review and update access agreements is defined; ; and
Verify that individuals requiring access to organizational information and systems:
Sign appropriate access agreements prior to being granted access; and
Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or the frequency at which to re-sign access agreements to maintain access to organizational information is defined;.
Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.
access agreements are developed and documented for organizational systems;
the access agreements are reviewed and updated the frequency at which to review and update access agreements is defined;;
individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or the frequency at which to re-sign access agreements to maintain access to organizational information is defined;.
Personnel security policy
personnel security procedures
procedures addressing access agreements for organizational information and systems
access control policy
access control procedures
access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)
documentation of access agreement reviews, updates, and re-signing
system security plan
privacy plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel who have signed/resigned access agreements
organizational personnel with information security and privacy responsibilities
Organizational processes for reviewing, updating, and re-signing access agreements
mechanisms supporting the reviewing, updating, and re-signing of access agreements
PS-7: External Personnel Security
Establish personnel security requirements, including security roles and responsibilities for external providers;
Require external providers to comply with personnel security policies and procedures established by the organization;
Document personnel security requirements;
Require external providers to notify personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined; of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined; ; and
Monitor provider compliance with personnel security requirements.
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.
personnel security requirements are established, including security roles and responsibilities for external providers;
external providers are required to comply with personnel security policies and procedures established by the organization;
personnel security requirements are documented;
external providers are required to notify personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined; of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;;
provider compliance with personnel security requirements is monitored.
Personnel security policy
procedures addressing external personnel security
list of personnel security requirements
acquisition documents
service-level agreements
compliance monitoring process
system security plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
external providers
system/network administrators
organizational personnel with account management responsibilities
organizational personnel with information security responsibilities
Organizational processes for managing and monitoring external personnel security
mechanisms supporting and/or implementing the monitoring of provider compliance
PS-8: Personnel Sanctions
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
Notify personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined; within the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined; when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.
a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;
personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined; is/are notified within the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined; when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Personnel security policy
personnel security procedures
procedures addressing personnel sanctions
access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)
list of personnel or roles to be notified of formal employee sanctions
records or notifications of formal employee sanctions
system security plan
privacy plan
personally identifiable information processing policy
other relevant documents or records
Organizational personnel with personnel security responsibilities
legal counsel
organizational personnel with information security and privacy responsibilities
Organizational processes for managing formal employee sanctions
mechanisms supporting and/or implementing formal employee sanctions notifications
PS-9: Position Descriptions
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.
security roles and responsibilities are incorporated into organizational position descriptions;
privacy roles and responsibilities are incorporated into organizational position descriptions.
Personnel security policy
personnel security procedures
procedures addressing position descriptions
security and privacy position descriptions
system security plan
privacy plan
privacy program plan
other relevant documents or records
Organizational personnel with personnel security responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with human capital management responsibilities
Organizational processes for managing position descriptions