Fred Cohen & Associates

10.9 Personnel Security

Copyright(c), 1995 - Management Analytics - All Rights Reserved

All DOC operating units shall comply with personnel security policies and procedures established by the "DOC Personnel Security Manual," DAO 207-2 and Section 9 of the "DOC IT Security Manual." These policies pertain to both federal and contractor personnel. At a minimum:

1. All IT related positions will be evaluated and assigned a sensitivity level and appropriate background investigations will be completed for individuals filling these positions;
2. Procedures will be established to ensure the screening of all individuals before they are allowed to participate in the design, operation or maintenance of sensitive IT systems, or are granted access to sensitive data. The level of screening required should vary from minimal checks to full background investigations, depending upon the sensitivity of the information to be handled and/or the risk and magnitude of loss or harm that could be caused by the individual;
3. Establish a process to grant access privileges based on a legitimate need to have system access. Individuals will be granted only the least possible privileges necessary for job performance. Privileges which have not been specifically granted will be specifically denied;
4. Where feasible, sensitive positions will be separated to preclude any one individual from gaining the opportunity to adversely affect the system. Procedural checks and balances must be defined and enforced so that accountability is established and security violations are detectable.
5. Establish a process for individual accountability for the proper use and security of the IT system(s) being accessed and ensure that all users are provided with periodic security awareness briefings, copies of system rules and are trained to fulfil their IT security responsibilities;
6. Establish a process to revoke access privileges in a timely manner when the requirement for access ceases (e.g., transfer, resignation, retirement, change of job description, etc.); and
7. Establish a process to immediately revoke access privileges to individuals being separated for adverse reasons on or just prior to notifying them of the pending action.