PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
PF v1.0 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
PS-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
PS-2: Position Risk Designation
Assign a risk designation to all organizational positions; Establish screening criteria for individuals filling those positions; and Review and update position risk designations [Assignment: organization-defined frequency].
PS-3: Personnel Screening
Screen individuals prior to authorizing access to the system; and Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].
PS-4: Personnel Termination
Upon termination of individual employment: Disable system access within [Assignment: organization-defined time period]; Terminate or revoke any authenticators and credentials associated with the individual; Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; Retrieve all security-related organizational system-related property; and Retain access to organizational information and systems formerly controlled by terminated…
PS-5: Personnel Transfer
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; Modify access authorization as needed to correspond with any…
PS-6: Access Agreements
Develop and document access agreements for organizational systems; Review and update the access agreements [Assignment: organization-defined frequency]; and Verify that individuals requiring access to organizational information and systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment:…
PS-7: External Personnel Security
Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures established by the organization; Document personnel security requirements; Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or…
PS-8: Personnel Sanctions
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
PS-9: Position Descriptions
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
SA-21: Developer Screening
Require that the developer of [Assignment: organization-defined system, system component, or system service]: Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria].
NIST Special Publication 800-171 Revision 2
3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for…
3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers
Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is…
Cloud Controls Matrix v3.0.1
HRS-02: Background Screening
Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties shall be subject to background verification proportional to the data classification to be accessed, the business requirements, and acceptable risk.
HRS-03: Employment Agreements
Employment agreements shall incorporate provisions and/or terms for adherence to established information governance and security policies and must be signed by newly hired or on-boarded workforce personnel (e.g., full or part-time employee or contingent staff) prior to granting workforce personnel user access to corporate facilities, resources, and assets.
HRS-04: Employment Termination
Roles and responsibilities for performing employment termination or change in employment procedures shall be assigned, documented, and communicated.
HRS-06: Non-Disclosure Agreements
Requirements for non-disclosure or confidentiality agreements reflecting the organization’s needs for the protection of data and operational details shall be identified, documented, and reviewed at planned intervals.
HRS-07: Roles / Responsibilities
Roles and responsibilities of contractors, employees, and third-party users shall be documented as they relate to information assets and security.
HRS-10: User Responsibility
All personnel shall be made aware of their roles and responsibilities for: Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. Maintaining a safe and secure working environment
IAM-02: Credential Lifecycle / Provision Management
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes,…
IAM-07: Third Party Access
The identification, assessment, and prioritization of risks posed by business processes requiring third-party access to the organization’s information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning…
IAM-09: User Access Authorization
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer…
IAM-10: User Access Reviews
User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization’s business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies…
IAM-11: User Access Revocation
Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user’s change in status (e.g., termination of employment or other business relationship, job change, or transfer). Upon request, provider shall…
Critical Security Controls Version 8
6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
NIST Special Publication 800-53 Revision 4
PS-1: Personnel Security Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and Reviews and updates the current: Personnel security policy…
PS-2: Position Risk Designation
The organization: Assigns a risk designation to all organizational positions; Establishes screening criteria for individuals filling those positions; and Reviews and updates position risk designations [Assignment: organization-defined frequency].
PS-3: Personnel Screening
The organization: Screens individuals prior to authorizing access to the information system; and Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].
PS-4: Personnel Termination
The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period]; Terminates/revokes any authenticators/credentials associated with the individual; Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; Retrieves all security-related organizational information system-related property; Retains access to organizational information and information systems formerly controlled by terminated…
PS-5: Personnel Transfer
The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; Modifies access authorization as needed to correspond with…
PS-6: Access Agreements
The organization: Develops and documents access agreements for organizational information systems; Reviews and updates the access agreements [Assignment: organization-defined frequency]; and Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements…
PS-7: Third-Party Personnel Security
The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers; Requires third-party providers to comply with personnel security policies and procedures established by the organization; Documents personnel security requirements; Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational…
PS-8: Personnel Sanctions
The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
SA-21: Developer Screening
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and Satisfy [Assignment: organization-defined additional personnel screening criteria].
Critical Security Controls Version 7.1
16: Account Monitoring and Control
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.