Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/PS/High

Template:Doc:NIST SP 800-53r3 Appendix F/PS-1

Determine if: (i) the organization develops and formally documents personnel security policy; (ii) the organization personnel security policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented personnel security policy to elements within the organization having associated personnel security roles and responsibilities; (iv) the organization develops and formally documents personnel security procedures; (v) the organization personnel security procedures facilitate implementation of the personnel security policy and associated personnel security controls; and (vi) the organization disseminates formal documented personnel security procedures to elements within the organization having associated personnel security roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy and procedures, other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Determine if: (i) the organization defines the frequency of personnel security policy reviews/updates; (ii) the organization reviews/updates personnel security policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of personnel security procedure reviews/updates; (iv) the organization reviews/updates personnel security procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-2

Determine if: (i) the organization assigns a risk designation to all positions within the organization; (ii) the organization establishes a screening criteria for individuals filling organizational positions; (iii) the organization defines the frequency of risk designation reviews and updates for organizational positions; and (iv) the organization reviews and revises position risk designations in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; list of risk designations for organizational positions; security plan; records of risk designation reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-3

Determine if: (i) the organization screens individuals prior to authorizing access to the information system; (ii) the organization defines conditions requiring re-screening and, where re-screening is so indicated, the frequency of such re-screening; and (iii) the organization re-screens individuals according to organization-defined conditions requiring re-screening and, where re-screening is so indicated, the organization-defined frequency of such re-screening.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-4

Determine if: (i) the organization terminates information system access upon termination of individual employment; (ii) the organization conducts exit interviews of terminated personnel; (iii) the organization retrieves all security-related organizational information system-related property from terminated personnel; and (iv) the organization retains access to organizational information and information systems formerly controlled by terminated personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel termination; records of personnel termination actions; list of information system accounts; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-5

Determine if: (i) the organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization; (ii) the organization defines the transfer or reassignment actions and the time period within which the actions must occur following formal transfer or reassignment; and (iii) the organization initiates the organization-defined transfer or reassignment actions within an organization-defined time period following formal transfer or reassignment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel transfer; security plan; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-6

Determine if: (i) the organization identifies appropriate access agreements for individuals requiring access to organizational information and information systems; (ii) individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; (iii) the organization defines the frequency of reviews/updates for access agreements; and (iv) the organization reviews/updates the access agreements in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; security plan; access agreements; records of access agreement reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-7

Determine if: (i) the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers (ii) the organization documents personnel security requirements for third-party providers; and (iii) the organization monitors third-party provider compliance with personnel security requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; compliance monitoring process; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; third-party providers].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-8

Determine if the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].