PS-05-727 Personnel Transfer

Personnel Transfer

PS-05-727
Personnel Transfer
Personnel Security
Protect
Personnel Security
LOW, MOD, HIGH
P2
Yes
February 15, 2018

Information resource owners for organizational areas losing and gaining an employee during a transfer are responsible for reviewing the employee's information resource access to ensure the access is appropriate for the duties to be performed.

Information resource owners are also responsible for periodically (on a schedule established by AC-02-727) reviewing all access to resources under their control.

Employee, contractor or third party user terminations or change of responsibilities could result in a security breach due to lack of a defined management process for terminations or changes in responsibilities.
The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
Information system owners periodically review access privileges.
The organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization and initiates appropriate actions.
Obtain personnel security policy; procedures addressing personnel transfer; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records and ascertain if : (I)the organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization. (ii)the organization initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing old accounts and establishing new accounts; and changing system access authorization) for personnel reassigned or transferred within the organization.