PS – Personnel Security

The RMF Control Family PS, Personnel Security, addresses the need for organizations to protect their information systems from insider threats. Insider threats can be caused by employees, contractors, or other individuals who have authorized access to information systems but use that access for malicious purposes.

Controls in the PS Security Control Family

The PS Security Control Family includes the following controls:

  • PS-1: Personnel Security Policy and Procedures: This control requires organizations to develop and implement a personnel security policy and procedures. This policy should define the roles and responsibilities for personnel security, and the process for screening and managing employees and other individuals who have access to information systems.
  • PS-2: Position Risk Designation: This control requires organizations to designate the risk level of each position within the organization. This risk designation should be based on the level of access that the position has to information systems and the sensitivity of the data that the position has access to.
  • PS-3: Personnel Screening: This control requires organizations to screen employees and other individuals who have access to information systems. This screening may include background checks, credit checks, and drug testing.
  • PS-4: Personnel Termination: This control requires organizations to have a process in place for terminating employees and other individuals who have access to information systems. This process should include deactivating accounts and retrieving access badges and other credentials.
  • PS-5: Personnel Transfer: This control requires organizations to have a process in place for transferring employees and other individuals who have access to information systems to new positions. This process should include verifying that the individual has the necessary permissions for the new position and that they have been briefed on the security requirements of the new position.
  • PS-6: Access Agreements: This control requires organizations to have access agreements in place for employees and other individuals who have access to information systems. These access agreements should define the terms and conditions of access, including the types of data that the individual is authorized to access and the purposes for which the data can be used.
  • PS-7: Third-Party Personnel Security: This control requires organizations to have a process in place for managing the security of third-party personnel who have access to information systems. This process should include verifying that the third-party personnel have been screened and that they have been briefed on the security requirements of the organization.

Benefits of Implementing the PS Security Control Family

There are a number of benefits to implementing the PS Security Control Family, including:

  • Reduced risk of insider threats: The PS Security Control Family helps to reduce the risk of insider threats by ensuring that organizations have a process in place for screening and managing employees and other individuals who have access to information systems.
  • Compliance: The PS Security Control Family can help organizations comply with applicable laws and regulations, such as the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA).
  • Increased trust: By implementing the PS Security Control Family, organizations can demonstrate to their customers and partners that they are taking steps to protect their information from insider threats.

How to Implement the PS Security Control Family

To implement the PS Security Control Family, organizations should follow these steps:

  1. Develop a personnel security policy and procedures. This policy should define the roles and responsibilities for personnel security, and the process for screening and managing employees and other individuals who have access to information systems.
  2. Designate the risk level of each position within the organization. This risk designation should be based on the level of access that the position has to information systems and the sensitivity of the data that the position has access to.
  3. Screen employees and other individuals who have access to information systems. This screening may include background checks, credit checks, and drug testing.
  4. Implement a process for terminating employees and other individuals who have access to information systems. This process should include deactivating accounts and retrieving access badges and other credentials.
  5. Implement a process for transferring employees and other individuals who have access to information systems to new positions. This process should include verifying that the individual has the necessary permissions for the new position and that they have been briefed on the security requirements of the new position.
  6. Have access agreements in place for employees and other individuals who have access to information systems