10.9 Personnel Security
10.9 Personnel Security
Copyright(c), 1995 - Management Analytics - All Rights Reserved
All DOC operating units shall comply with personnel security
policies and procedures established by the "DOC Personnel Security
Manual," DAO 207-2 and Section 9 of the "DOC IT Security Manual." These
policies pertain to both federal and contractor personnel. At a
minimum:
-
1. All IT related positions will be evaluated and assigned
a sensitivity level and appropriate background
investigations will be completed for individuals
filling these positions;
-
2. Procedures will be established to ensure the screening
of all individuals before they are allowed to
participate in the design, operation or maintenance of
sensitive IT systems, or are granted access to
sensitive data. The level of screening required should
vary from minimal checks to full background
investigations, depending upon the sensitivity of the
information to be handled and/or the risk and magnitude
of loss or harm that could be caused by the individual;
-
3. Establish a process to grant access privileges based on
a legitimate need to have system access. Individuals
will be granted only the least possible privileges
necessary for job performance. Privileges which have
not been specifically granted will be specifically
denied;
-
4. Where feasible, sensitive positions will be separated
to preclude any one individual from gaining the
opportunity to adversely affect the system. Procedural
checks and balances must be defined and enforced so
that accountability is established and security
violations are detectable.
-
5. Establish a process for individual accountability for
the proper use and security of the IT system(s) being
accessed and ensure that all users are provided with
periodic security awareness briefings, copies of system
rules and are trained to fulfil their IT security
responsibilities;
-
6. Establish a process to revoke access privileges in a
timely manner when the requirement for access ceases
(e.g., transfer, resignation, retirement, change of job
description, etc.); and
-
7. Establish a process to immediately revoke access
privileges to individuals being separated for adverse
reasons on or just prior to notifying them of the
pending action.