PS: Personnel Security

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and Reviews and updates the current: Personnel security policy…

The organization: Assigns a risk designation to all organizational positions; Establishes screening criteria for individuals filling those positions; and Reviews and updates position risk designations [Assignment: organization-defined frequency].

The organization: Screens individuals prior to authorizing access to the information system; and Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period]; Terminates/revokes any authenticators/credentials associated with the individual; Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; Retrieves all security-related organizational information system-related property; Retains access to organizational information and information systems formerly controlled by terminated…

The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; Modifies access authorization as needed to correspond with…

The organization: Develops and documents access agreements for organizational information systems; Reviews and updates the access agreements [Assignment: organization-defined frequency]; and Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements…

The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers; Requires third-party providers to comply with personnel security policies and procedures established by the organization; Documents personnel security requirements; Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational…

The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.