Personnel Security

PS-1 Policy and Procedures

Texas DIR Baseline

LOW

TxDIR Required By

2023-07-20

Control

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:

    1. [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

  2. Designate an [Assignment: official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

  3. Review and update the current personnel security:

    1. Policy [Assignment: frequency] and following [Assignment: events] ; and

    2. Procedures [Assignment: frequency] and following [Assignment: events].

Discussion

Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

PS-2 Position Risk Designation

Texas DIR Baseline

LOW

TxDIR Required By

2023-01-20

Control

  1. Assign a risk designation to all organizational positions;

  2. Establish screening criteria for individuals filling those positions; and

  3. Review and update position risk designations [Assignment: frequency].

State Implementation Details

All authorized users (including, but not limited to, state agency personnel, temporary employees, and employees of independent contractors) of the state agency’s information resources shall formally acknowledge that they will comply with the security policies and procedures of the state agency or they shall not be granted access to information resources. The state agency head or their designated representative will determine the method of acknowledgement and how often this acknowledgement must be reexecuted by the user to maintain access to state agency information resources.

Discussion

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

References

PS-3 Personnel Screening

Texas DIR Baseline

LOW

TxDIR Required By

2023-01-20

Control

  1. Screen individuals prior to authorizing access to the system; and

  2. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].

Discussion

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

Control Enhancements

PS-3(1) Classified Information

Control

Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

Discussion

Classified information is the most sensitive information that the Federal Government processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see AC-3 ) and flow controls (see AC-4).

PS-3(2) Formal Indoctrination

Control

Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.

Discussion

Types of classified information that require formal indoctrination include Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI).

PS-3(3) Information Requiring Special Protective Measures

Control

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: additional personnel screening criteria].

Discussion

Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements.

PS-3(4) Citizenship Requirements

Control

Verify that individuals accessing a system processing, storing, or transmitting [Assignment: information types] meet [Assignment: citizenship requirements].

Discussion

None.

PS-4 Personnel Termination

Texas DIR Baseline

LOW

TxDIR Required By

2023-07-20

Control

Upon termination of individual employment: a. Disable system access within [Assignment: time period]; b. Terminate or revoke any authenticators and credentials associated with the individual; c. Conduct exit interviews that include a discussion of [Assignment: information security topics]; d. Retrieve all security-related organizational system-related property; and e. Retain access to organizational information and systems formerly controlled by terminated individual.

Discussion

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

Control Enhancements

PS-4(1) Post-employment Requirements

Control

(a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

Discussion

Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.

PS-4(2) Automated Actions

Control

Use [Assignment: automated mechanisms] to [Selection (one or more): notify _[Assignment: personnel or roles]_ of individual termination actions; disable access to system resources].

Discussion

In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated.

PS-5 Personnel Transfer

Texas DIR Baseline

LOW

TxDIR Required By

2023-01-20

Control

  1. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

  2. Initiate [Assignment: transfer or reassignment actions] within [Assignment: time period following the formal transfer action];

  3. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

  4. Notify [Assignment: personnel or roles] within [Assignment: time period].

Discussion

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

PS-6 Access Agreements

Texas DIR Baseline

LOW

Privacy Baseline

Yes

TxDIR Required By

2023-01-20

Control

  1. Develop and document access agreements for organizational systems;

  2. Review and update the access agreements [Assignment: frequency] ; and

  3. Verify that individuals requiring access to organizational information and systems:

    1. Sign appropriate access agreements prior to being granted access; and

    2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: frequency].

Discussion

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

Control Enhancements

PS-6(1) Information Requiring Special Protection

Withdrawn: Incorporated into PS-3

PS-6(2) Classified Information Requiring Special Protection

Control

Verify that access to classified information requiring special protection is granted only to individuals who: (a) Have a valid access authorization that is demonstrated by assigned official government duties; (b) Satisfy associated personnel security criteria; and (c) Have read, understood, and signed a nondisclosure agreement.

Discussion

Classified information that requires special protection includes collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

PS-6(3) Post-employment Requirements

Control

(a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b) Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

Discussion

Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.

PS-7 External Personnel Security

Texas DIR Baseline

LOW

TxDIR Required By

2023-01-20

Control

  1. Establish personnel security requirements, including security roles and responsibilities for external providers;

  2. Require external providers to comply with personnel security policies and procedures established by the organization;

  3. Document personnel security requirements;

  4. Require external providers to notify [Assignment: personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: time period] ; and

  5. Monitor provider compliance with personnel security requirements.

Discussion

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

References

PS-8 Personnel Sanctions

Texas DIR Baseline

LOW

TxDIR Required By

2023-01-20

Control

  1. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

  2. Notify [Assignment: personnel or roles] within [Assignment: time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Discussion

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

PS-9 Position Descriptions

Control

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

Discussion

Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

References

results matching ""

    No results matching ""