GV.RR-04: Cybersecurity is included in human resources practices

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening).


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding)

Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions

Ex3: Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles

Ex4: Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles