PS-02-727 Position Risk Designation

Position Risk Designation

Position Risk Designation
Personnel Security
Personnel Security
February 15, 2018

All authorized users are required to acknowledge their compliance with the TTI Rules of Behavior for Use of Agency Information Resources document as part of their annual information security awareness training. This acknowledgement is required to maintain an active enterprise user account.

Security roles and responsibilities are not defined and clearly communicated to job candidates during the pre-employment process.
The organization: a. Assigns a risk designation to all organizational positions; b. Establishes screening criteria for individuals filling those positions; and c. Reviews and updates position risk designations [Assignment: organization-defined frequency].
The organization identifies and classifies personnel positions based on risk category. In other words - the context for classifying positions by risk level is to identify and enforce background checks and other controls due to the higher risk position, e.g., a security administrator with “keys to the kingdom” has a higher risk profile and may require higher analysis than a groundskeeper for instance.
All authorized users (including, but not limited to, state organization personnel, temporary employees, and employees of independent contractors) of the state organization’s information resources, shall formally acknowledge that they will comply with the security policies and procedures of the state organization or they shall not be granted access to information resources. The state organization head or his or her designated representative will determine the method of acknowledgement and how often this acknowledgement must be re-executed by the user to maintain access to state organization information resources.
Obtain personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; OPM policy and guidance; list of risk designations for organizational positions; security plan; records of risk designation reviews and updates; other relevant documents or records and ascertain if : (I)the organization assigns a risk designations to all positions within the organization. (ii)the organization establishes a screening criteria for individuals filling organizational positions. (iii)the risk designations for the organizational positions are consistent with 5 CFR 731.106(a) and OPM policy and guidance. (iv)the organization defines in the security plan, explicitly or by reference, the frequency of risk designation reviews and updates for organizational positions. (v)the organization reviews and revises position risk designations in accordance with the organization-defined frequency.