Back

Revoke asset access when a personnel status change occurs or an individual is terminated.


CONTROL ID
00516
CONTROL TYPE
Behavior
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Review all user privileges, as necessary., CC ID: 06784

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall immediately cancel access authorization when a user no longer has a need to access the data for his/her duties. (O18.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The FI should limit access to DC to authorised staff only. The FI should only grant access to the DC on a need to have basis. Physical access of staff to the DC should be revoked immediately if it is no longer required. (§ 10.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access. (Control: ISM-0430; Revision: 7, Australian Government Information Security Manual, June 2023)
  • Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access. (Control: ISM-0430; Revision: 7, Australian Government Information Security Manual, September 2023)
  • The organization should remove the access rights for an individual upon a change in role or responsibility or termination of employment. (¶ 44(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • removal of access rights whenever there is a change in role or responsibility, and on cessation of employment. Access rights can then be granted in line with the new role or responsibility, without risk of unnecessary access remaining; (¶ 44(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • User accounts should be removed from the system as soon as a user leaves the organization or changes roles. (§ 3.6.18, Australian Government ICT Security Manual (ACSI 33))
  • Data access authorisations of users under the cloud provider's responsibility (internal and external employees) are withdrawn in the case of changes to the employment relationship (dismissal, transfer, longer period of absence/sabbatical/parental leave) promptly, but 30 days after its coming into fo… (Section 5.7 IDM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When a person in charge of processing is disqualified from accessing personal data, his/her authentication credentials must be deactivated also. (Annex B.8, Italy Personal Data Protection Code)
  • Processes are in place to remove physical access to facilities and system resources when an individual no longer requires access. (S7.2 Removes physical access, Privacy Management Framework, Updated March 1, 2020)
  • Access ought to be restricted to the minimum amount necessary to complete a certain job. Further, access controls should be monitored. (§ IV.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization deactivate the access controls of an employee to the building and computer networks prior to the employee's termination? (Table Row IV.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is access for any terminated users immediately deactivated or removed? (8.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
  • Select a sample of employees terminated in the past six months, and review current user access lists to verify that their identifiers have been deactivated or removed. (§ 8.5.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • The organization must ensure it has developed a password and user authentication management program that requires immediately revoking the access of all terminated users. (§ 8.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Select a sample of employees terminated in the past six months, and review current user access lists to verify that their IDs have been deactivated or removed. (§ 8.5.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • System access must be immediately revoked for all terminated users. (PCI DSS Requirements § 8.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Physical access for onsite personnel to sensitive areas must be controlled by immediately revoking access on termination. (PCI DSS Requirements § 9.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Immediately revoke access for any terminated users. (8.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. (9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. (9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Immediately revoke access for any terminated users. (8.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Immediately revoke access for any terminated users. (8.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. (9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is access for any terminated users immediately deactivated or removed? (8.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is access for any terminated users immediately deactivated or removed? (8.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Is access for any terminated users immediately deactivated or removed? (8.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are procedures developed to easily distinguish between onsite personnel and visitors, which include: - Identifying onsite personnel and visitors (for example, assigning badges), - Changing access requirements, and - Revoking terminated onsite personnel and expired visitor identification (such as ID … (9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is access for any terminated users immediately deactivated or removed? (8.1.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is physical access to sensitive areas controlled for onsite personnel, as follows: - Is access authorized and based on individual job function? - Is access revoked immediately upon termination - Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disab… (9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify all physical authentication methods—such as, smart cards, tokens, etc.—have been returned or deactivated. (8.1.3.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Select a sample of users terminated in the past six months, and review current user access lists—for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists. (8.1.3.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Access is revoked immediately upon termination. (9.3.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Observe processes and interview personnel to verify that access of all personnel is revoked immediately upon termination. (9.3.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is access for any terminated users immediately deactivated or removed? (PCI DSS Question 8.1.3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is access for any terminated users immediately deactivated or removed? (PCI DSS Question 8.1.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is access for any terminated users immediately deactivated or removed? (PCI DSS Question 8.1.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Access is revoked immediately upon termination. (9.3.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Access is revoked immediately upon termination. (9.3.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • User identities that are no longer needed must be deactivated or removed. The policy must identify procedures to complete when personnel leave the organization. Reviews must be conducted to ensure the appropriate action took place. (§ 4.2.1 (Determine Controls Within the Identity Life Cycle Process) ¶ 3, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The organization should ensure userIDs and passwords for employees who have been terminated or reassigned are disabled immediately. (Pg 12-IV-4, Pg 12-IV-20, Protection of Assets Manual, ASIS International)
  • Customer access to business applications should be protected (based on the principle of 'least access') by terminating customer connections on a timely basis (e.g., when a security breach occurs or when they are no longer required). (CF.05.03.07d, The Standard of Good Practice for Information Security)
  • A process for terminating the access privileges of users should be established to ensure that authentication details are revoked promptly on all systems to which the user had access. (CF.06.01.09a-1, The Standard of Good Practice for Information Security)
  • A process for terminating the access privileges of users should be established to ensure that access profiles / accounts are deleted. (CF.06.01.09b, The Standard of Good Practice for Information Security)
  • A process for terminating the access privileges of users should be established to ensure that components dedicated to providing access, such as tokens, modems, or Virtual Private Networks are disabled or removed. (CF.06.01.09c, The Standard of Good Practice for Information Security)
  • There should be a documented requirement for access privileges to be revoked immediately when an authorized user no longer requires access to information or systems as part of their job. (CF.02.01.04-1, The Standard of Good Practice for Information Security)
  • There should be a documented requirement for access privileges to be revoked immediately when an authorized user leaves the organization. (CF.02.01.04-2, The Standard of Good Practice for Information Security)
  • A process for terminating the access privileges of users should be established to ensure that access rights are revoked promptly on all systems to which the user had access. (CF.06.01.09a-2, The Standard of Good Practice for Information Security)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes revocation of physical and logical access rights to the organization's information. (CF.16.01.08b, The Standard of Good Practice for Information Security)
  • Customer access to business applications should be protected (based on the principle of 'least access') by terminating customer connections on a timely basis (e.g., when a security breach occurs or when they are no longer required). (CF.05.03.07d, The Standard of Good Practice for Information Security, 2013)
  • A process for terminating the access privileges of users should be established to ensure that authentication details are revoked promptly on all systems to which the user had access. (CF.06.01.09a-1, The Standard of Good Practice for Information Security, 2013)
  • A process for terminating the access privileges of users should be established to ensure that access profiles / accounts are deleted. (CF.06.01.09b, The Standard of Good Practice for Information Security, 2013)
  • A process for terminating the access privileges of users should be established to ensure that components dedicated to providing access, such as tokens, modems, or Virtual Private Networks are disabled or removed. (CF.06.01.09c, The Standard of Good Practice for Information Security, 2013)
  • There should be a documented requirement for access privileges to be revoked immediately when an authorized user no longer requires access to information or systems as part of their job. (CF.02.01.04-1, The Standard of Good Practice for Information Security, 2013)
  • There should be a documented requirement for access privileges to be revoked immediately when an authorized user leaves the organization. (CF.02.01.04-2, The Standard of Good Practice for Information Security, 2013)
  • A process for terminating the access privileges of users should be established to ensure that access rights are revoked promptly on all systems to which the user had access. (CF.06.01.09a-2, The Standard of Good Practice for Information Security, 2013)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes revocation of physical and logical access rights to the organization's information. (CF.16.01.10c, The Standard of Good Practice for Information Security, 2013)
  • The organization should disable accounts immediately after an employee or contractor is terminated. (Critical Control 16.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Employees, contractors and third party users must return all assets owned by the organization inside a defined and documented time frame once the employment, contract or agreement has been terminated. (IS-27, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Users who have changed jobs or left the organization should have their access rights removed immediately. (§ 11.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. (Annex A: § CLD.8.1.5 ¶ 2, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Processes are in place to remove physical access to facilities and protected information assets when an employee, contractor, vendor, or business partner no longer requires access. (CC6.4 ¶ 2 Bullet 2 Removes Physical Access, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Processes are in place to remove access to protected information assets when no longer required. (CC6.3 ¶ 2 Bullet 2 Removes Access to Protected Information Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity's security policies include adding new users, modifying the Access levels of existing users, and removing users who no longer need Access. (Security Prin. and Criteria Table § 1.2 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies include adding new users, modifying the Access levels of existing users, and removing users who no longer need Access. (Availability Prin. and Criteria Table § 1.2 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system processing integrity and related security policies include adding new users, modifying the Access levels of existing users, and removing users who no longer need Access. (Processing Integrity Prin. and Criteria Table § 1.2 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's policies related to the system's protection of confidential information and security include adding new users, modifying the Access levels of existing users, and removing users who no longer need Access. (Confidentiality Prin. and Criteria Table § 1.2 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The security program, in relation to protecting personal information, should include procedures for removing users who no longer need access to personal information. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The security program, in relation to protecting personal information, should include procedures for canceling access privileges when personnel are terminated. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Processes are in place to remove access to physical resources when an individual no longer requires access. (CC6.4 Removes Physical Access, Trust Services Criteria)
  • Processes are in place to remove access to protected information assets when an individual no longer requires access. (CC6.3 Removes Access to Protected Information Assets, Trust Services Criteria)
  • Processes are in place to remove access to protected information assets when an individual no longer requires access. (CC6.3 ¶ 2 Bullet 2 Removes Access to Protected Information Assets, Trust Services Criteria, (includes March 2020 updates))
  • Processes are in place to remove access to physical resources when an individual no longer requires access. (CC6.4 ¶ 2 Bullet 2 Removes Physical Access, Trust Services Criteria, (includes March 2020 updates))
  • For termination actions, revoke the individual's access to the designated storage locations for BES Cyber System Information, whether physical or electronic (unless already revoked according to Requirement R5.1), by the end of the next calendar day following the effective date of the termination act… (CIP-004-6 Table R5 Part 5.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • For reassignments or transfers, revoke the individual's authorized electronic access to individual accounts and authorized unescorted physical access that the Responsible Entity determines are not necessary by the end of the next calendar day following the date that the Responsible Entity determines… (CIP-004-6 Table R5 Part 5.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • For reassignments or transfers, revoke the individual's authorized electronic access to individual accounts and authorized unescorted physical access that the Responsible Entity determines are not necessary by the end of the next calendar day following the date that the Responsible Entity determines… (CIP-004-7 Table R5 Part 5.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • For termination actions, remove the individual's ability to use provisioned access to BCSI (unless already revoked according to Part 5.1) by the end of the next calendar day following the effective date of the termination action. (CIP-004-7 Table R6 Part 6.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Passwords should be disabled when users are transferred, retire, or discharged or no longer need access to the data. (§ 2-15.h, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 1.10.3(3): The organization must notify security management of all terminations and revoke userIDs and passwords promptly. CSR 2.9.17: The organization must use mechanisms to automatically match personnel files with actual system users in order to remove transferred or terminated employees from … (CSR 1.10.3(3), CSR 2.9.17, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • When an individual who has access to a classified area is reassigned, terminated, or transferred, or his/her clearance level is suspended or revoked, his/her access authorization must be removed. (§ 5-313, § 8-303.f, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Procedures shall be implemented to terminate electronic protected health information access when the workforce member's employment ends or as required by determinations made in § 164.308(a)(3)(ii)(B). The covered entity shall assess these procedures to determine if it is a reasonable and appropriat… (§ 164.308(a)(3)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The organization should immediately remove user account access when the user is no longer authorized to access the system. (Pg 5, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • When an employee is terminated, his/her access should be immediately removed. (Pg 30, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should have procedures in place for immediately changing and/or revoking all physical and logical access controls when an employee is terminated for any reason. (Pg 34, FFIEC IT Examination Handbook - Operations, July 2004)
  • Exam Tier II Obj 8.2 Assess management's personnel policies regarding current employees in the funds transfer department. Determine if: ▪ Management obtains statements of indebtedness of employees in sensitive positions of the funds transfer function. ▪ Employees are subject to unannounced rotat… (Exam Tier II Obj 8.2, Exam Tier II Obj 9.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [FedRAMP Assignment: access control personnel responsible for disabling access to the system] of individual termination actions; disable access to system resources]. (PS-4(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • User accounts must be disabled in a timely manner when no longer necessary. (§ 5.6.7, Exhibit 4 IA-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is employee access removed promptly upon termination? (IT - General Q 20, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union notify security administrators when users are no longer authorized access to an application or system so that the user account access can be removed or suspended in a timely way? (IT- Authentication Q 36, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are user accounts disabled after employees job responsibilities change or when they leave the organization? (IT - Networks Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. (PS-4(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The organization may need to invalidate the data and credentials on the personal identity verification (PIV) card before the expiration date due to the cardholder retiring, changing jobs, or being terminated or the card being lost, damaged, or stolen and needing to be replaced. When a card is invali… (§ 5.3.2, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • (§ 3.11.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the user accounts of terminated employees have been disabled and removed from the system in accordance with documented procedures. (AC-2.1, AC-2.5, PS-4.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization must revoke physical access and logical access to facilities and systems when an employee is terminated. (SG.PS-4 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must terminate all physical access and logical access at a defined frequency when the employee is terminated for cause. (SG.PS-4 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to revoke access permissions after an employee is terminated. (SG.PS-4 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must manage Information System accounts by deactivating accounts of transferred users and terminated users. (App F § AC-2.h(ii), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. (PS-4(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. (PS-4(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Remove access privileges of former employees and contractors immediately. (Part I ¶ 4, California OPP Recommended Practices on Notification of Security Breach, May 2008)