Establish, implement, and maintain personnel status change and termination procedures.
CONTROL ID 06549
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a personnel management program., CC ID: 14018
This Control has the following implementation support Control(s):
Terminate user accounts when notified that an individual is terminated., CC ID: 11614
Terminate access rights when notified of a personnel status change or an individual is terminated., CC ID: 11826
Assign an owner of the personnel status change and termination procedures., CC ID: 11805
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated., CC ID: 01309
Notify the security manager, in writing, prior to an employee's job change., CC ID: 12283
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated., CC ID: 06677
Notify terminated individuals of applicable, legally binding post-employment requirements., CC ID: 10630
Update contact information of any individual undergoing a personnel status change, as necessary., CC ID: 12692
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties., CC ID: 06676
Conduct exit interviews upon termination of employment., CC ID: 14290
Require terminated individuals to sign an acknowledgment of post-employment requirements., CC ID: 10631
Verify completion of each activity in the employee termination checklist when an individual is terminated., CC ID: 12449
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The procedures for cleaning up the files and directories after a user changes roles or departs should be included in the Standard Operating Procedures for the System Administrator. (Control: 0055 Table Row "User account management", Australian Government Information Security Manual: Controls)
The organization should conduct an audit of cryptographic system material whenever the administrative responsibility is handed over to or taken over by another individual. (Control: 0504 Bullet 1, Australian Government Information Security Manual: Controls)
The organization should conduct an audit of the cryptographic system material whenever personnel with Access to the cryptographic system are changed. (Control: 0504 Bullet 2, Australian Government Information Security Manual: Controls)
The integration of all employees in the security process requires the assurance that the required security safeguards are followed when an employee leaves or switches jobs. (3.6 Bullet 6, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Withdrawal of authorisations (de-provisioning) in case of changes to the employment relationship (Section 5.7 IDM-01 Basic requirement ¶ 1 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
Does the organization deactivate the access controls of an employee to the building and computer networks prior to the employee's termination? (Table Row IV.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
What other precautions are taken before or after an employee's termination? (Table Row IV.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
whether the commitments stipulate applying the precautionary principle; (Disclosure 2-23 ¶ 1(a)(iii), GRI 2: General Disclosures, 2021)
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed. (PO7.8 Job Change and Termination, CobiT, Version 4.1)
Staff and external individuals should be required to document information related to processes (e.g., recently developed procedures, updated contact lists, or reports of current activities) upon termination of employment. (CF.02.01.08b, The Standard of Good Practice for Information Security)
A Process should be established for reassigning 'ownership' when owners leave or change roles. (CF.02.05.04c, The Standard of Good Practice for Information Security)
Staff and external individuals should be required to document information related to processes (e.g., recently developed procedures, updated contact lists, or reports of current activities) upon termination of employment. (CF.02.01.08b, The Standard of Good Practice for Information Security, 2013)
A Process should be established for reassigning 'ownership' when owners leave or change roles. (CF.02.05.04c, The Standard of Good Practice for Information Security, 2013)
Roles and responsibilities for performing employment termination or change in employment procedures shall be assigned, documented, and communicated. (HRS-04, Cloud Controls Matrix, v3.0)
Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user's change in status (… (IAM-11, Cloud Controls Matrix, v3.0)
Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment. (HRS-06, Cloud Controls Matrix, v4.0)
Roles and responsibilities for performing employment termination or change in employment procedures shall be assigned, documented and communicated. (HR-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. (A.7.3.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. (§ 7.3.1 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law. (PR.IP-11.3, CRI Profile, v1.2)
The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law. (PR.IP-11.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Each Responsible Entity shall implement one or more documented access revocation program(s) that collectively include each of the applicable requirement parts in CIP-004-6 Table R5 â Access Revocation. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Planning]. (B. R5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
Each Responsible Entity shall implement one or more documented access revocation program(s) that collectively include each of the applicable requirement parts in CIP-004-7 Table R5 â Access Revocation. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Planning]. (B. R5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the n… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
Is there a constituent termination or change of status process? (§ E.6, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
Is there a documented termination or change of status policy or process that has been approved by management? (§ E.6.1, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
Is there a documented termination or change of status policy or process that has an owner to maintain and review the policy? (§ E.6.1, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
Are access rights reviewed when a constituent changes roles? (§ H.2.7, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
The organization must include the following in the transfer and termination procedures: procedures for the exit interview; procedures for notifying security management of all terminations and for promptly revoking userIDs and passwords; procedures for returning keys, property, passes, and identifica… (CSR 1.10.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The security manager or the information assurance manager must ensure procedures exist for personnel to out process through the security section, including verification that individuals are still authorized Information System access and the permissions have not been revoked. (§ 3.3 ¶ AC33.025, DISA Access Control STIG, Version 2, Release 3)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (PS.2.128, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (PS.2.128, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (PS.2.128, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (PS.2.128, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (PS.L2-3.9.2 Personnel Actions, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
The agency shall start the appropriate actions, such as changing system accounts and establishing or closing accounts when personnel are transferred inside the agency. (§ 5.12.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The service provider must define the actions to take for personnel transfers and personnel reassignments. (Column F: PS-5, FedRAMP Baseline Security Controls)
The joint authorization board must approve and accept the actions to take for personnel transfers and personnel reassignments. (Column F: PS-5, FedRAMP Baseline Security Controls)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [FedRAMP Assignment: twenty-four (24) hours]; (PS-5b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Align account management processes with personnel termination and transfer processes. (AC-2l., FedRAMP Security Controls High Baseline, Version 5)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [FedRAMP Assignment: twenty-four (24) hours]; (PS-5b., FedRAMP Security Controls High Baseline, Version 5)
Align account management processes with personnel termination and transfer processes. (AC-2l., FedRAMP Security Controls Low Baseline, Version 5)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [FedRAMP Assignment: twenty-four (24) hours]; (PS-5b., FedRAMP Security Controls Low Baseline, Version 5)
Align account management processes with personnel termination and transfer processes. (AC-2l., FedRAMP Security Controls Moderate Baseline, Version 5)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [FedRAMP Assignment: twenty-four (24) hours]; (PS-5b., FedRAMP Security Controls Moderate Baseline, Version 5)
Align account management processes with personnel termination and transfer processes. (AC-2l., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Align account management processes with personnel termination and transfer processes. (AC-2l., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Align account management processes with personnel termination and transfer processes. (AC-2l., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Align account management processes with personnel termination and transfer processes. (AC-2l., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Align account management processes with personnel termination and transfer processes. (AC-2l., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Align account management processes with personnel termination and transfer processes. (AC-2l., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Align account management processes with personnel termination and transfer processes. (AC-2l., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization must conduct exit interviews to verify that all property has been returned and the individual understands any security restraints imposed from being a former employee. (SG.PS-4 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers. (3.9.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (3.9.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. (3.9.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
The organization must conduct exit interviews upon termination of employment. (App F § PS-4.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization takes {organizationally documented actions} when privileged role assignments are no longer appropriate. (AC-2(7)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. (IA-5j., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment terminates/revokes any authenticators/credentials associated with the individual. (PS-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment conducts exit interviews that include a discussion of {organizationally documented information security topics}. (PS-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization initiates {organizationally documented transfer or reassignment actions} within {organizationally documented time period following the formal transfer action}. (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. (IA-5j., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment terminates/revokes any authenticators/credentials associated with the individual. (PS-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment conducts exit interviews that include a discussion of {organizationally documented information security topics}. (PS-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization initiates {organizationally documented transfer or reassignment actions} within {organizationally documented time period following the formal transfer action}. (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. (IA-5j., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment terminates/revokes any authenticators/credentials associated with the individual. (PS-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment conducts exit interviews that include a discussion of {organizationally documented information security topics}. (PS-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization initiates {organizationally documented transfer or reassignment actions} within {organizationally documented time period following the formal transfer action}. (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. (IA-5j., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment terminates/revokes any authenticators/credentials associated with the individual. (PS-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization, upon termination of individual employment conducts exit interviews that include a discussion of {organizationally documented information security topics}. (PS-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization initiates {organizationally documented transfer or reassignment actions} within {organizationally documented time period following the formal transfer action}. (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Align account management processes with personnel termination and transfer processes. (AC-2l., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Align account management processes with personnel termination and transfer processes. (AC-2l., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., TX-RAMP Security Controls Baseline Level 1)
Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; (PS-5b., TX-RAMP Security Controls Baseline Level 2)
