PS-4: Personnel Termination

Control Family:

Personnel Security

CSF v1.1 References:

PF v1.0 References:

Baselines:

  • Low
    • PS-4
  • Moderate
    • PS-4
  • High

Next Version:

Control Statement

The organization, upon termination of individual employment:

  1. Disables information system access within [Assignment: organization-defined time period];
  2. Terminates/revokes any authenticators/credentials associated with the individual;
  3. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
  4. Retrieves all security-related organizational information system-related property;
  5. Retains access to organizational information and information systems formerly controlled by terminated individual; and
  6. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Supplemental Guidance

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

Control Enhancements

PS-4(1): Post-Employment Requirements

Baseline(s):

(Not part of any baseline)

The organization: Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

PS-4(2): Automated Notification

Baseline(s):

  • High

The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual.