Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/PS/Low

From FISMApedia
Jump to: navigation, search

NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls


PERSONNEL SECURITY

PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-1 Personnel Security Policy and Procedures P1 LOW PS-1 MOD PS-1 HIGH PS-1


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-1


ASSESSMENT PROCEDURE
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
PS-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents personnel security policy;
(ii) the organization personnel security policy addresses:
(iii) the organization disseminates formal documented personnel security policy to elements within the organization having associated personnel security roles and responsibilities;
(iv) the organization develops and formally documents personnel security procedures;
(v) the organization personnel security procedures facilitate implementation of the personnel security policy and associated personnel security controls; and
(vi) the organization disseminates formal documented personnel security procedures to elements within the organization having associated personnel security roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy and procedures, other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].
PS-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of personnel security policy reviews/updates;
(ii) the organization reviews/updates personnel security policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of personnel security procedure reviews/updates;
(iv) the organization reviews/updates personnel security procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].


PS-2 POSITION CATEGORIZATION


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-2 Position Categorization P1 LOW PS-2 MOD PS-2 HIGH PS-2


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-2


ASSESSMENT PROCEDURE
PS-2 POSITION CATEGORIZATION
PS-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization assigns a risk designation to all positions within the organization;
(ii) the organization establishes a screening criteria for individuals filling organizational positions;
(iii) the organization defines the frequency of risk designation reviews and updates for organizational positions; and
(iv) the organization reviews and revises position risk designations in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; list of risk designations for organizational positions; security plan; records of risk designation reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-3 PERSONNEL SCREENING


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-3 Personnel Screening P1 LOW PS-3 MOD PS-3 HIGH PS-3


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-3


ASSESSMENT PROCEDURE
PS-3 PERSONNEL SCREENING
PS-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization screens individuals prior to authorizing access to the information system;
(ii) the organization defines conditions requiring re-screening and, where re-screening is so indicated, the frequency of such re-screening; and
(iii) the organization re-screens individuals according to organization-defined conditions requiring re-screening and, where re-screening is so indicated, the organization-defined frequency of such re-screening.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-4 PERSONNEL TERMINATION


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-4 Personnel Termination P2 LOW PS-4 MOD PS-4 HIGH PS-4


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-4


ASSESSMENT PROCEDURE
PS-4 PERSONNEL TERMINATION
PS-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization terminates information system access upon termination of individual employment;
(ii) the organization conducts exit interviews of terminated personnel;
(iii) the organization retrieves all security-related organizational information system-related property from terminated personnel; and
(iv) the organization retains access to organizational information and information systems formerly controlled by terminated personnel.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel termination; records of personnel termination actions; list of information system accounts; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-5 PERSONNEL TRANSFER


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-5 Personnel Transfer P2 LOW PS-5 MOD PS-5 HIGH PS-5


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-5


ASSESSMENT PROCEDURE
PS-5 PERSONNEL TRANSFER
PS-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization;
(ii) the organization defines the transfer or reassignment actions and the time period within which the actions must occur following formal transfer or reassignment; and
(iii) the organization initiates the organization-defined transfer or reassignment actions within an organization-defined time period following formal transfer or reassignment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel transfer; security plan; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-6 ACCESS AGREEMENTS


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-6 Access Agreements P3 LOW PS-6 MOD PS-6 HIGH PS-6


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-6


ASSESSMENT PROCEDURE
PS-6 ACCESS AGREEMENTS
PS-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies appropriate access agreements for individuals requiring access to organizational information and information systems;
(ii) individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;
(iii) the organization defines the frequency of reviews/updates for access agreements; and
(iv) the organization reviews/updates the access agreements in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; security plan; access agreements; records of access agreement reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-7 THIRD-PARTY PERSONNEL SECURITY


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-7 Third-Party Personnel Security P1 LOW PS-7 MOD PS-7 HIGH PS-7


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-7


ASSESSMENT PROCEDURE
PS-7 THIRD-PARTY PERSONNEL SECURITY
PS-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers
(ii) the organization documents personnel security requirements for third-party providers; and
(iii) the organization monitors third-party provider compliance with personnel security requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; compliance monitoring process; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; third-party providers].



PS-8 PERSONNEL SANCTIONS


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


Security Control Baseline:
PS-8 Personnel Sanctions P3 LOW PS-8 MOD PS-8 HIGH PS-8


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PS-8


ASSESSMENT PROCEDURE
PS-8 PERSONNEL SANCTIONS
PS-8.1 ASSESSMENT OBJECTIVE:
Determine if the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



Source