This is the ninth of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems, compliance. This entry covers the controls contained in the Personnel Security Policy and Procedures family.
What is it?
Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs can also impact the system’s security posture. Almost no system can be secured without properly addressing these aspects of personnel security.
Personnel security seeks to minimize the risk that staff (permanent, temporary, or contractor) pose to company assets through the malicious use or exploitation of their legitimate access to the company’s resources. A company’s status and reputation can be damaged by the actions of its employees. Employees may have access to extremely sensitive, or proprietary information, the disclosure of which can destroy an organization’s reputation or cripple it financially. Companies should be vigilant when recruiting and hiring new employees, as well as when an employee transfers or is terminated.
The sensitive nature and value of company assets requires in-depth personnel security measures. Examples of personnel requirement include: personnel screening, personnel termination, personnel transfer, access agreements, and personnel sanctions. Companies should ensure that individuals occupying positions of responsibility within the company (including third-party service providers) are trustworthy and meet established security criteria for those positions, ensure that company information and systems are protected during and after personnel actions such as terminations and transfers, and employ formal sanctions for personnel failing to comply with company security policies and procedures.
How does Greenfield solve it?
Greenfield provides Personnel Security by requiring client Administrators to be responsible for properly categorizing the positions held by their employees and contractors. Prior to granting access to systems hosted in Greenfield. Administrators are responsible for properly screening personnel; developing access agreements for their systems; managing any third-party security personnel to whom they grant access; employing personnel sanctions to whom they grant access; and properly terminating access for personnel to whom they have granted access.
Greenfield provides a draft personnel policy to assist you in satisfying this objective and has designed the on boarding process to easily capture information and ensure you meet the requirements.
Within the Greenfield System, AWS has developed formal, documented personnel security policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy is reviewed on an annual basis.