Personnel Security (from NIST)
This personnel security list and description are meant to tie personnel security to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- Personnel security policy and procedures - A policy should be established regarding personnel security including screening individuals for employment, handling access when employees leave or transfer, access agreements with contractors, The policy should define scope, roles, and responsibilities. It should also define types of personnel sanctions to be used in response to inappropriate behavior. The policy must be sure all access is surrendered by the employee upon termination and all organizational property is returned. (low)
- Position categorization - A risk designation is assigned to all positions and security screening and background checking of individuals to fill those positions is sufficiently detailed for the risk designation of the position. (low)
- Personnel screening - Individuals are sufficiently screened with background checks before allowing access to data and systems that may be sensitive.
- Personnel termination - All access to organizational resources should be terminated and all organizational property should be returned upon termination of any employee. (low)
- Personnel transfer - Access to various systems should be reviewed and changed as required for the new duties of the employee. (low)
- Access agreements - Contractors should be bound by non-disclosure agreements, conflict of interest, appropriate use agreements and other agreements that employees are bound by. (low)
- Third party personnel security - Contractors should be bound by the same agreements that employees are bound by. (low)
- Personnel sanctions - Sanctions are disciplinary actions that may be taken in response to a policy violation. Sanctions may be things like a reprimand, probation, demotion, or dismissal. (low)