Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ps-5 |
personnel transfer |
||
|
assessment objective: Determine if the organization: |
||
ps-5(a) |
when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current: |
||
ps-5(a)[1] |
logical access authorizations to information systems; |
||
ps-5(a)[2] |
physical access authorizations to information systems and facilities; |
||
ps-5(b) |
ps-5(b)[1] |
defines transfer or reassignment actions to be initiated following transfer or reassignment; |
|
ps-5(b)[2] |
defines the time period within which transfer or reassignment actions must occur following transfer or reassignment; |
||
ps-5(b)[3] |
initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment; |
||
ps-5(c) |
modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; |
||
ps-5(d) |
ps-5(d)[1] |
defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization; |
|
ps-5(d)[2] |
defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and |
||
ps-5(d)[3] |
notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization. |
||
potential assessment methods and objects: Examine: [select from: Personnel security policy; procedures addressing personnel transfer; security plan; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records]. Interview: [select from: Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for personnel transfer; automated mechanisms supporting and/or implementing personnel transfer notifications; automated mechanisms for disabling information system access/revoking authenticators]. |
|||
