Back

Establish, implement, and maintain a personnel security program.


CONTROL ID
10628
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a personnel management program., CC ID: 14018

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a personnel security policy., CC ID: 14025
  • Establish, implement, and maintain security clearance level criteria., CC ID: 00780
  • Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies., CC ID: 00782
  • Identify and watch individuals that pose a risk to the organization., CC ID: 10674


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Requirements relating to recruitment and selection of qualified staff and external contractors that define the framework for vetting and monitoring of personnel, taking into account the information security risk (Critical components of information security 1) 2) o., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening). (PR.IP-11, CRI Profile, v1.2)
  • The extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors… (¶ 2.155 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Impact Levels 4/5: CSP personnel supporting Level 4 and 5 cloud service offerings will meet the personnel security requirements and undergo background checks as defined in OPM policy IAW the FedRAMP Moderate baseline, the FedRAMP+ CEs related to personnel security, and DoD personnel security policie… (Section 5.6.2.2 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Impact Level 2: CSP personnel supporting Level 2 cloud service offerings will meet the personnel security requirements and undergo background checks as defined in OPM policy IAW the FedRAMP Moderate baseline. As such the minimum background investigation required for CSP personnel having access to Le… (Section 5.6.2.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) (PR.IP-11, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) (PR.IP-11, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). (PR.PO-P9, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PS-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. (PS-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PS-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. (PS-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PS-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. (PS-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PS-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. (PS-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)