Joint task force transformation initiative



Yüklə 5,64 Mb.
səhifə120/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   ...   116   117   118   119   120   121   122   123   ...   186

P2

LOW PS-5

MOD PS-5

HIGH PS-5



PS-6 ACCESS AGREEMENTS


Control: The organization:

  1. Develops and documents access agreements for organizational information systems;

  2. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and

  3. Ensures that individuals requiring access to organizational information and information systems:

  1. Sign appropriate access agreements prior to being granted access; and

  2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].

Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8.

Control Enhancements:

  1. access agreements | information requiring special protection

[Withdrawn: Incorporated into PS-3].

  1. access agreements | classified information requiring special protection

The organization ensures that access to classified information requiring special protection is granted only to individuals who:

    1. Have a valid access authorization that is demonstrated by assigned official government duties;

    2. Satisfy associated personnel security criteria; and

    3. Have read, understood, and signed a nondisclosure agreement.

Supplemental Guidance: Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

  1. access agreements | post-employment requirements

The organization:

    1. Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and

    2. Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

Supplemental Guidance: Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.

References: None.

Priority and Baseline Allocation:

P3

LOW PS-6

MOD PS-6

HIGH PS-6



PS-7 THIRD-PARTY PERSONNEL SECURITY


Control: The organization:

  1. Establishes personnel security requirements including security roles and responsibilities for third-party providers;

  2. Requires third-party providers to comply with personnel security policies and procedures established by the organization;

  3. Documents personnel security requirements;

  4. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and

  5. Monitors provider compliance.

Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21.

Control Enhancements: None.

References: NIST Special Publication 800-35.

Priority and Baseline Allocation:

P1


Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   ...   116   117   118   119   120   121   122   123   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin