Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ps-8 |
personnel sanctions |
||
|
assessment objective: Determine if the organization: |
||
ps-8(a) |
employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; |
||
ps-8(b) |
ps-8(b)[1] |
defines personnel or roles to be notified when a formal employee sanctions process is initiated; |
|
ps-8(b)[2] |
defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and |
||
ps-8(b)[3] |
notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
||
potential assessment methods and objects: Examine: [select from: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records]. Interview: [select from: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for managing personnel sanctions; automated mechanisms supporting and/or implementing notifications]. |