OVERVIEW (PS-1)

This document addresses the procedures and standards set forth by the State to implement the family of Personnel Security controls.

POSITION RISK DESIGNATION (PS-2)

A risk designation shall be assigned to all system user positions and establish screening criteria for individuals filling those positions.

The following criteria will be used to establish a risk profile for each position. Low Risk is assumed unless role requires one or more of the following. Highest risk profile is used if role requires more than one of the following.

  1. Holder has access customer data - Medium Risk
  2. Holder is responsible for system administration of information systems - High Risk
  3. Holder can make enhancements, modify source code or promote updated code - High Risk
  4. Holder has administrator access to infrastructure (e.g. FedRAMP hosted servers, firewall or other equipment) - High Risk

The following roles are defined in the Access Control Policy and Procedure. A risk profile is assigned to each role.

  • Administration - Low Risk
  • Sales & Marketing - Low Risk
  • Technical Support - Medium Risk
  • Account Management - Medium Risk
  • Professional Services - Medium Risk
  • Engineering & Test - High Risk
  • Data Center Operations - High Risk
  • IT Management - High Risk

See Control Access Control Policy for additional information on roles.

PERSONNEL SCREENING (PS-3)

Any role that has a medium or higher risk profile requires a Background Check (PS001) to be performed.

PERSONNEL TERMINATION (PS-4)

When an employee or contractor is terminated, the following offboarding procedure shall be followed:

  • Disable information system access within 1 business day
  • Revoke any authenticators/credentials associated with the individual
  • Conducts exit interviews that include a discussion that information security responsibilities continue after severance (Reference Information Security Training).
  • Retrieves all physical assets (e.g. laptop)
  • Any administrator responsibilities are transferred to other staff members (as appropriate)
  • Notifies impacted staff members within 2 day business days of termination

An artifact attesting to successful completion of offboarding (PS002) is required.

A backup of relevant data stored on the individual's system will retained for 90 days for continuity and forensic purposes (documented in PS002).

PERSONNEL TRANSFER (PS-5)

When an individual is transferred to another role, management is responsible for re-evaluating their role (and associated risk profile).

When an employee or contractor is transferred, the following transfer procedure shall be followed:

  • Change information system access to within 1 business day (to reflect new role)
  • Revoke/issue or modify any authenticators/credentials associated with the individual
  • Retrieve or exchange physical assets if appropriate
  • Transfer any administrator responsibilities to other staff members (as appropriate)
  • Notifies impacted staff members within 2 day business days of transfer

An artifact attesting to successful completion of transfer (PS002) is required.

ACCESS AGREEMENTS (PS-6)

On hire, all employees are required to sign a Confidentiality Agreement (PS003). This agreement defines terms of access for organizational information and information systems. PS003 must be resigned annually.

THIRD-PARTY PERSONNEL SECURITY (PS-7)

No third-party personnel are used at this time.

PERSONNEL SANCTIONS (PS-8)

Failure to comply with this policy can result in termination or a formal sanction.

An artifact defining sanction scope (PS004) shall be generated within 2 business days of sanction. Artifact shall specify which team members must be notified and when they were notified.

AUDIT

  • Quarterly Management Review (MR001) includes review of new PS001(s) and PS003(s) against employee roster (AT002), updated PS002(s) against employee roster and any new PS004(s). Review must include check of PS003 for annual signature.
  • Annual Management Review (MR002) includes review of this policy including review of risk designations.