UCF ID: 01309 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Review or terminate accounts and access rights upon personnel job change and termination. [UCF Control ID 00788]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-1; CMS Core Security Requirements (CSR), Draft, § 1.10.4, § 2.2.15, § 2.8.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(3)(ii)(C); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PS-4.1; The Standard of Good Practice for Information Security, SM1.3.4, UE1.1.10
Banking and Finance Guidance
A disgruntled employee should be immediately removed from the facility and his/her computer access and access to the facility should be immediately revoked. [Pg C-1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
Healthcare and Life Science Guidance
[§ 1.10.4, § 2.2.15, § 2.8.1, CMS Core Security Requirements (CSR), Draft]
[§ 164.308(a)(3)(ii)(C), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
NIST Guidance
Organizational records and documents should be examined to ensure the accounts of terminated users are revoked immediately. [PS-4.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
General Guidance
When employees no longer require access to confidential information, their access privileges should be revoked immediately. [SM1.3.4, UE1.1.10, The Standard of Good Practice for Information Security]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of computer user accounts closed that had been assigned to personnel who have left the organization or who no longer have a need for access. [UCF Control ID 02090]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.