03.09.02

Control Familly: Personnel Security

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.09.02

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • PS-04

  • PS-05

a. When individual employment is terminated:

1. Disable system access within [Assignment: organization-defined time period],

2. Terminate or revoke authenticators and credentials associated with the individual, and

3. Retrieve security-related system property.

b. When individuals are reassigned or transferred to other positions in the organization:

1. Review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility, and

2. Modify access authorization to correspond with any changes in operational need.

Discussion:

Security-related system property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that accountability is achieved for the organizational property. Security topics at exit interviews include reminding individuals of potential limitations on future employment and non-disclosure agreements. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment.

The timely execution of termination actions is essential for individuals who have been terminated for cause. Organizations may consider disabling the accounts of individuals who are being terminated prior to the individuals being notified. This requirement applies to the reassignment or transfer of individuals when the personnel action is permanent or of such extended duration as to require protection. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new identification cards, keys, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing access to official records to which individuals had access at previous work locations in previous system accounts.

Assessment Methods and Objectives

Examine [SELECT FROM: personnel security policy and procedures; procedures for personnel termination; records of personnel transfer actions; procedures for personnel transfer; list of system and facility access authorizations; records of personnel termination actions; records of terminated or revoked authenticators or credentials; list of system accounts; records of exit interviews; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with personnel security responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: processes for personnel termination; processes for personnel transfer; mechanisms for supporting or implementing personnel transfer notifications; mechanisms for supporting or implementing personnel termination notifications; mechanisms for disabling system access and revoking authenticators]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.09.02.ODP[01]: the time period within which to disable system access is defined.

A.03.09.02.a.01: upon termination of individual employment, system access is disabled within <A.03.09.02.ODP[01]: time period>.

A.03.09.02.a.02[01]: upon termination of individual employment, authenticators associated with the individual are terminated or revoked.

A.03.09.02.a.02[02]: upon termination of individual employment, credentials associated with the individual are terminated or revoked.

A.03.09.02.a.03: upon termination of individual employment, security-related system property is retrieved.

A.03.09.02.b.01[01]: upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is reviewed. A

.03.09.02.b.01[02]: upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is confirmed.

A.03.09.02.b.02: upon individual reassignment or transfer to other positions in the organization, access authorization is modified to correspond with any changes in operational need.