PS-05-727 Personnel Transfer

Personnel Transfer

Control ID

PS-05-727

Control Name

Personnel Transfer

Control Category

Personnel Security

Functional Areas

Protect

Sub-Areas

Personnel Security

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 15, 2018

Agency Implementation

Information resource owners for organizational areas losing and gaining an employee during a transfer are responsible for reviewing the employee's information resource access to ensure the access is appropriate for the duties to be performed.

Information resource owners are also responsible for periodically (on a schedule established by AC-02-727) reviewing all access to resources under their control.

Risk Statement

Employee, contractor or third party user terminations or change of responsibilities could result in a security breach due to lack of a defined management process for terminations or changes in responsibilities.

Control Description

The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Control Example

Information system owners periodically review access privileges.

State Implementation

The organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization and initiates appropriate actions.

Testing Procedures

Obtain personnel security policy; procedures addressing personnel transfer; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records and ascertain if : (I)the organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization. (ii)the organization initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing old accounts and establishing new accounts; and changing system access authorization) for personnel reassigned or transferred within the organization.