Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"
Shawndouglas (talk | contribs) |
Shawndouglas (talk | contribs) |
||
Line 53: | Line 53: | ||
'''Additional resources''': | '''Additional resources''': | ||
* No LIMSpec comp (organizational policy rather than system specification) | * No LIMSpec comp (organizational policy rather than system specification) | ||
==References== | |||
{{Reflist}} |
Revision as of 21:02, 16 February 2022
PS-1 Personnel security policy and procedures
This control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
PS-2 Position risk designation
This control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations "can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems." Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be "determined by the position's potential for adverse impact to the efficiency or integrity of the service."[1] Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
PS-3 Personnel screening
This control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.
Additional resources:
- 5 CFR 731.106
- NIST Special Publications 800-60, Vol. 1, Rev. 1
- NIST Special Publications 800-60, Vol. 2, Rev. 1
- NIST Special Publications 800-73-4
- NIST Special Publications 800-76-2
- NIST Special Publications 800-78-4
- No LIMSpec comp (organizational policy rather than system specification)
PS-4 Personnel termination
This control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.
Additional resources:
- LIMSpec 32.28 and 34.4
PS-5 Personnel transfer
This control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.
Additional resources:
PS-6 Access agreements
This control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
PS-7 Third-part personnel security
This control recommends the organization establish a set of security requirements for third-party personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
PS-8 Personnel sanctions
This control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
References
- ↑ "5 CFR § 731.106 - Designation of public trust positions and investigative requirements". Legal Information Institute. Cornell. https://www.law.cornell.edu/cfr/text/5/731.106. Retrieved 23 July 2020.