PS-01-727 Personnel Security Policy and Procedures

Personnel Security Policy and Procedures

Control ID

PS-01-727

Control Name

Personnel Security Policy and Procedures

Control Category

Personnel Security

Functional Areas

Protect

Sub-Areas

Personnel Security

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Information resource owners are responsible for granting access to information under their control. All employees, contractors, visiting scholars, etc. shall be screened through the human resources hiring process for criminal background. The chief information officer shall ensure access to information resources is tightly integrated into the hiring and termination process.

Risk Statement

Employees, contractors and third party users do not maintain their security responsibilities.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and b. Reviews and updates the current: 1. Personnel security policy [Assignment: organization-defined frequency]; and 2. Personnel security procedures [Assignment: organization-defined frequency].

Control Example

The organization has written, documented personnel security policies and procedures in place.

State Implementation

The state organization has a formal, documented, personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Testing Procedures

Obtain personnel security policy and procedures, other relevant documents or records and ascertain if : (I)the organization develops and documents personnel security policy and procedures. (ii)the organization disseminates personnel security policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review personnel security policy and procedures. (iv)the organization updates personnel security policy and procedures when organizational review indicates updates are required. (v)the personnel security policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance (vi)the personnel security policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vii)the personnel security procedures address all areas identified in the personnel security policy and address achieving policy-compliant implementations of all associated personnel security controls.