Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ps-8

personnel sanctions  

assessment objective:

Determine if the organization:

ps-8(a)

employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

ps-8(b)

ps-8(b)[1]

defines personnel or roles to be notified when a formal employee sanctions process is initiated;

ps-8(b)[2]

defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

ps-8(b)[3]

notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

potential assessment methods and objects:

Examine: [select from: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records].

Interview: [select from: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for managing personnel sanctions; automated mechanisms supporting and/or implementing notifications].