PS: Personnel Security

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…

Assign a risk designation to all organizational positions; Establish screening criteria for individuals filling those positions; and Review and update position risk designations [Assignment: organization-defined frequency].

Screen individuals prior to authorizing access to the system; and Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].

Upon termination of individual employment: Disable system access within [Assignment: organization-defined time period]; Terminate or revoke any authenticators and credentials associated with the individual; Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; Retrieve all security-related organizational system-related property; and Retain access to organizational information and systems formerly controlled by terminated…

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; Modify access authorization as needed to correspond with any…

Develop and document access agreements for organizational systems; Review and update the access agreements [Assignment: organization-defined frequency]; and Verify that individuals requiring access to organizational information and systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment:…

Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures established by the organization; Document personnel security requirements; Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or…

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Incorporate security and privacy roles and responsibilities into organizational position descriptions.