Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ps-7

third-party personnel security  

assessment objective:

Determine if the organization:

ps-7(a)  

establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

ps-7(b)  

requires third-party providers to comply with personnel security policies and procedures established by the organization;

ps-7(c)  

documents personnel security requirements;

ps-7(d)  

ps-7(d)[1]

defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

ps-7(d)[2]

defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

ps-7(d)[3]

requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

ps-7(e)  

monitors provider compliance.

potential assessment methods and objects:

Examine: [select from: Personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; service-level agreements; compliance monitoring process; other relevant documents or records].

Interview: [select from: Organizational personnel with personnel security responsibilities; third-party providers; system/network administrators; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for managing and monitoring third-party personnel security; automated mechanisms supporting and/or implementing monitoring of provider compliance].