Level 2
Description:
Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified. This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Priority: Medium
Category: Personnel Security
Domain: PERSONNEL SECURITY (PS)
Services Associated with AWS:
NA
Services Associated with Azure:
- Azure Security Center
- Azure Information Protection (AIP):
- Azure Active Directory (Azure AD)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate Human Resources (HR) practices to screen individuals
- Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of AD settings, or other IAM interface
Possible Technology Considerations :
NA
What needs to be answered :
Does the company disable information system access prior to employee termination or transfer? Does the company revoke authenticators/ credentials associated with the employee upon termination or transfer with in a certain time frame? Does the company retrieve all company information system-related property from the terminated or transferred employee within a certain timeframe? Does the company retain access to company information and information systems formerly controlled by the terminated or transferred employee within a certain timeframe? Does the company notify the information security office and data owner of the change in authorization within a certain timeframe? Are electronic and physical access permissions reviewed when employees are reassigned or transferred? (hours)
Checks for AWS
- Protection of CUI during and after Personnel Actions
Description: This check ensures that organizational systems containing Controlled Unclassified Information (CUI) are adequately protected during and after personnel actions, such as terminations and transfers. The protection measures include the proper handling of system-related property, conducting exit interviews, and implementing necessary security controls.
Checks for Azure
- Disable Information System Access upon Termination or Transfer:
Description: This policy ensures that information system access is disabled for employees upon termination or transfer. Implementation: You can use Azure Policy to check for specific Azure AD user properties like "accountEnabled" and set it to false when an employee's status changes to terminated or transferred. - Revoking Authenticators/Credentials upon Termination or Transfer:
Description: This policy ensures that authenticators and credentials associated with the employee are revoked within a certain time frame upon termination or transfer. Implementation: Use Azure Policy to enforce actions to revoke access keys, certificates, and other credentials when an employee's status changes. - Retrieving Company Information System-Related Property:
Description: This policy ensures that all company information system-related property is retrieved from terminated or transferred employees within a certain time frame. Implementation: Implement Azure Policy to track and enforce the return of hardware authentication tokens, identification cards, keys, etc., when an employee's status changes. - Retention of Access to Company Information:
Description: This policy ensures that the company retains access to information and information systems formerly controlled by terminated or transferred employees within a certain time frame. Implementation: Set up Azure Policy to ensure that relevant access rights and permissions are transferred or reassigned to appropriate personnel before the termination or transfer takes effect.
More Details:
IT support staff is notified of personnel action prior to action taking place so appropriate changes can be made securely.