Updated: Oct 12, 2022
Part 9 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.2
When performing IT security assessments, part of the engagement planning process includes providing the security committee with a list of all suggested departments and individuals that should be included in the assessment interviews. Almost always, when the committee sees Human Resource on the list, they question their involvement. This is an IT security review, what are we talking to HR about?
While they may not play a significant role in the assessment, the NIST SP 800-171 Security Requirement 9 regarding Personnel Security contains controls that must be implemented and, usually, only HR staff can answer them.
3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
Systems are only as secure as the users that access them. Employees may have access to systems and sensitive information that, if exposed, could cause significant damage to your organization’s reputation and/or bottom line. It is important to be cautious during the hiring process in order to help minimize the potential threat of employees maliciously stealing or damaging resources.
Job applicants and/or new employees should be screened and evaluated before they are granted any access to information systems. Background investigations can be conducted. Depending on the required level of access and the types of information, more in-depth screening should be performed. Specific data types may have more stringent requirements for screening based on applicable federal laws or regulatory standards. For example, the Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.7 states that background checks must be performed on any prospective employee who will have access to the cardholder data environment. Employees who only have access to one card number at a time (i.e. store cashiers) are not required to go through background checks, but this is still recommended. The Cybersecurity Maturity Model (CMMC) requirements for screening individuals are largely dependent upon the level of sensitivity of the information the organization has, but can include credit checks, criminal background checks, education and certification checks, employment history, drug testing, references, and e-Verify (confirming the eligibility of employees to work in the US).
Organizations should have a clearly defined policy with procedures that outline the requirements for mandatory employee screening before permitting any access to information systems.
3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
This next requirement means that if an employee leaves the organization or moves to a different role or department within the organization, it is critical that access is immediately removed or reviewed. There have been many incidents reported in which a disgruntled terminated employee steals data from an organization or manipulates or damages systems on their way out.
Departmental procedures should clearly define a set time period that must be met for disabling system access. All credentials for a terminated employee should be immediately revoked, and in some situations, organizations may want to consider disabling system accounts prior to an individual being notified. Exit interviews should be conducted to communicate important security related information, like non-disclosure agreements. And proper personnel should be notified to collect any organizational assets the terminated employee may still have possession of like laptops, mobile phones, hardware authentication tokens, building door passes, or keys. It may be warranted to flag employees within the system accordingly so help desk staff, security guards, etc. know that an individual has been terminated and they do not re-grant access unknowingly.
In the case of a re-assignment or transfer within an organization, it is also important for employee access to be reviewed and ensure they only have the system access or privileges necessary for their new position. Managers may need to close out specific system accounts, establish new accounts based on their current role, and verify they can only access the least amount of information necessary to perform their job responsibilities. Building passes, keys, ID cards, etc. should be evaluated and re-issued as necessary.
Organizations should have clearly defined access agreements for internal systems, and all employees should be required to review and acknowledge their understanding of these agreements prior to being granted system access. These may include non-disclosure agreements, facility access agreements, acceptable use agreements, etc. and all agreements should be reviewed at least annually and updated as necessary. There should also be a process to review and audit access credentials and badge authorizations to verify employees are still assigned the correct level of access.
Other policies and processes should also be considered to help limit the potential risks associated with personnel behavior. For example, requiring separation of duties to accomplish a specific task related to sensitive information, or monitoring audit logs to identify any abnormal employee actions or access.
Personnel security includes reviewing and monitoring third-party access to your facilities and systems. Vendors may have staff coming onsite that have credentials and badges provided by your organization. Are you notified when third-party personnel changes are made, or employees are terminated? If possible, verify all third-party services providers comply with your organizational personnel security policies and procedures. Access to organizational information should not be granted until appropriate contracts and confidentiality agreements are in place that define access rights, roles, and responsibilities. Procedures should also define set time periods for access, and that access should be disabled when no longer needed. This applies to both onsite access and remote access. Verify your agreements require vendors to notify your organization of any transfers or terminations so badges and credentials can be revoked accordingly. Most importantly, ensure your organization is monitoring third-party service provider compliance.
Some additional guidance from the Security Advisor team:
[Burt]: Most of the customers I work with typically have good process for screening new hires and then providing these employees with the appropriate access. I’d say that the more difficult part is keeping track of terminated users’ access and especially access of users that remain with the institution but are transferred to another position/area. Most institutions have the “process” in place for assigning and removing user access, however, many don’t have this “documented.” This can cause issues with open accounts, but it also can affect the institution if/when an audit is performed. In other words, an auditor might hear, “yes, we do these things, but we don’t have anything documented as proof.”