System Security Plan (ssp) Categorization: Moderate-Low-Low

Yüklə 1,92 Mb.

səhifə	22/29
tarix	16.05.2018
ölçüsü	1,92 Mb.
	#50588

1 ... 18 19 20 21 22 23 24 25 ... 29

10.19Personnel Security (PS)

10.19.1PS-1 – Personnel Security Policy and Procedures

Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.

10.19.2PS-2 – Position Categorization

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Access to individual Programs will be managed IAW NISPOM). Positions will be reviewed annually or as policy and procedures dictate changes are required.

CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.3PS-3 – Personnel Screening

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall ensure that every user accessing an IS processing, storing, or transmitting types of classified information which require formal indoctrination, is formally indoctrinated for all information for which the user is authorized access. The organization:
Screens individuals prior to authorizing access to the information system	Click here to enter text.
Rescreens individuals according to personnel security guidelines defined	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.3.1PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay)

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. Reference DoDM 5205.07-V2.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.3.2PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that individuals accessing an IS processing, storing or transmitting information requirement special protection: (a) have valid access authorizations that are demonstrated by assigned official government duties; and (b) satisfy any organizationally-required background screenings.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.4PS-4 – Personnel Termination (+ Classified)

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
When any system user (to include privileged and non-privileged users) leaves the organization due to employment termination (whether voluntary of involuntary) or retirement, the responsible for user account management must ensure all system accesses are removed. This includes notifying other organizations that may have granted system accesses (for example, collateral systems access, database access managed by another agency or organization, etc.). Notification of an employee’s termination is the responsibility of the organization. The organization must also ensure that information deemed to be of value is retained before the departing user’s accounts are archived and removed. The property custodian must retrieve any equipment issued to the departing individual, such as laptops or PEDs. The loss of security clearance or formal access approval (through de-briefing, suspension or revocation) requires immediate deactivation of all accounts associated with the individual. The organization, upon termination of an individual:
Disables information system access within 24 hours	Click here to enter text.
Terminates/revokes any authenticators/credentials associated with the individual	Click here to enter text.
Conducts exit interviews that include a discussion of any prohibitions regarding the information obtained during the employment	Click here to enter text.
Retrieves all security-related organizational information system-related property	Click here to enter text.
Retains access to organizational information and information systems formerly controlled by terminated individual	Click here to enter text.
Notifies the immediately upon termination	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.4.1PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) notified termination individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.5PS-5 – Personnel Transfer

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Notify other organizations that may have granted system accesses (for example, collateral systems access, database access managed by another agency or organization) of the individual’s transfer or reassignment. Notification of an employee’s transfer or reassignment shall be documented as the responsibility of the employee’s supervisor or Human Resources. The property custodian must determine whether any equipment issued to the individual, such as laptops or PEDs, should be retrieved or transferred to another property account. Reference AC-2 for additional requirements. The organization, upon transfer of an individual:
Reviews and confirms any ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization	Click here to enter text.
Initiates reassignment actions to ensure all system access no longer required (need to know) are removed or disabled within 10 working days	Click here to enter text.
Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer	Click here to enter text.
Notifies the ISSM as soon as possible	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.6PS-6 – Access Agreements

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All users are required to read and sign a Standard Mandatory Notice and Consent provision for all IS, (i.e., General User Access Agreement and Acknowledgement of Responsibilities) prior to being granted access to information systems. In addition, privileged users are required to read and sign a Privileged User Access Agreement and acknowledgement of Responsibilities prior to being granted elevated privileges to IS and applications. These agreements must be reviewed and updated upon account creation, user transfer or user termination. Organizations may add additional requirements to the agreement provided they do not conflict with the official verbiage. See Account Management [AC-2] for additional information on user roles and responsibilities. The User Access Agreement shall be retained by the ISSM for a minimum of two (2) years after access is removed. Organizations shall ensure that access to any information with special protection measures is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government duties. Satisfy associated personnel security criteria consistent with applicable federal laws, EOs, directives, policies, regulations, standards, and guidance. Have read, understand, and signed a nondisclosure agreement (if applicable). Information with special protection measures includes, for example, privacy information, proprietary information, and Sources and Methods Information (SAMI). The organization:
Develops and documents access agreements for organizational information systems	Click here to enter text.
Reviews and updates access agreements at least annually	Click here to enter text.
Ensures that individuals requiring access to organization information and IS: sign appropriate access agreements prior to being granted access; re-sign access agreements to maintain access to organization IS when access agreements have been update or at least annually	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.6.1PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3

10.19.6.2PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay)

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that access to classified information requiring special protection is granted only to individuals who (a) have a valid access authorization that is demonstrated by assigned official government duties; (b) satisfy associated personnel security criteria; and (c) have read, understood, and signed a nondisclosure agreement.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.6.3PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) notifies individuals of applicable, legally-binding post-employment requirements for protection of organizational information; (b) requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.7PS-7 – Third-Party Personnel Security

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The term “third party” as it relates to personnel security and contracts is not frequently used in DoD. If a third-party situation seems to apply, contact the AO and/or contracting representative for clarification and guidance. For ARMY: ensure DSS contacted if appropriate. The organization:
Establishes personnel security requirements including security roles and responsibilities for third-party providers	Click here to enter text.
Requires third-party providers to comply with personnel security policies and procedures established by the organization	Click here to enter text.
Documents personnel security requirements	Click here to enter text.
Requires third-party providers to notify the organization of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges as soon as possible, but not to exceed 1 working day	Click here to enter text.
Monitors provider compliance	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.8PS-8 - Personnel Sanctions

Recommended Continuous Monitoring Frequency: Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All instances where an individual fails to comply with established information security policies and procedures will be treated as security incidents . The organization:
Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures	Click here to enter text.
Notifies the appropriate organizations as soon as possible when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.19.8.1

Yüklə 1,92 Mb.

Dostları ilə paylaş:

1 ... 18 19 20 21 22 23 24 25 ... 29