Homexnetd.com
xnetd.com

3.9 PERSONNEL SECURITY

3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | NIST 800-171 rule 3.9.2 safeguards Controlled Unclassified Information (CUI) during employee transitions. Benefits include preventing unauthorized access after someone leaves or changes roles. It ensures accountability by clearly defining who has access. Implementation involves disabling accounts, collecting security tokens, and potentially conducting exit interviews to reinforce security obligations.

3.9 PERSONNEL SECURITY
Back to "3.9 PERSONNEL SECURITY"
3.9 PERSONNEL SECURITY
🖨️

3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

By wnoble2005@gmail.com (William Noble) 📅 2024-03-02
NIST 800-171 rule 3.9.2 safeguards Controlled Unclassified Information (CUI) during employee transitions. Benefits include preventing unauthorized access after someone leaves or changes roles. It ensures accountability by clearly defining who has access. Implementation involves disabling accounts, collecting security tokens, and potentially conducting exit interviews to reinforce security obligations.



Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified.This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

Benefits:

Reduced Risk of Data Breaches: By promptly revoking access upon termination or transfer, you minimize the chance of disgruntled employees or those with access changes inadvertently exposing CUI.

Improved Compliance: Following this control demonstrates adherence to NIST 800-171, a key requirement for organizations handling Controlled Unclassified Information (CUI).


Enhanced Accountability: Clear procedures ensure a smooth transition and track the return of CUI-related materials, reducing the risk of missing information.

Accountability:

Senior Management: Sets the tone by emphasizing security and holding everyone accountable. They ensure resources are available for proper termination/transfer procedures.

IT Security Team: Owns the process for disabling user accounts, access cards, and other system privileges upon termination or transfer. They work with system owners to ensure smooth transitions.

System Owners: Identify the CUI stored on their systems and understand user access needs. They work with IT security to ensure appropriate access changes during personnel actions.

Individual Users: Are responsible for the security of their credentials and notifying IT of any suspicious activity, especially during job transitions. They should cooperate with exit procedures like returning security tokens and equipment.

Implementation:

Define a Termination/Transfer Process: Develop a policy outlining steps for disabling user accounts, collecting badges, keys, and CUI materials upon termination or transfer.

Automate Access Revocation: Utilize automated tools to disable user accounts immediately upon termination notification, minimizing the window of vulnerability.

Conduct Exit Interviews: Reinforce security obligations and confirm the return of all CUI materials during exit interviews.

Regularly Review and Update: Periodically assess and update your procedures to adapt to evolving threats and personnel management practices.

Go to docs.google.com

About "3.9.2 Ensure that organiz...sfers" 🡃
Category:Cybersecurity Maturity Model
Family:Personnel Security (AC 3.9)
Type:Basic Security Requirements
#CybersecurityMaturityModel #BasicSecurityRequirements
⬅ Back to 3.9 PERSONNEL SECURITY

More on q4q.com

Q4Q Technical Solutions

© q4q.com 1999-2024