compliance controls are associated with this Policy definition 'Clear personnel with access to classified information' (c42f19c9-5d88-92da-0742-371a0ea03126)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
PS-3 |
FedRAMP_High_R4_PS-3 |
FedRAMP High PS-3 |
Personnel Security |
Personnel Screening |
Shared |
n/a |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].
Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2.
References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. |
link |
3 |
| FedRAMP_Moderate_R4 |
PS-3 |
FedRAMP_Moderate_R4_PS-3 |
FedRAMP Moderate PS-3 |
Personnel Security |
Personnel Screening |
Shared |
n/a |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].
Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2.
References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. |
link |
3 |
| hipaa |
0105.02a2Organizational.1-02.a |
hipaa-0105.02a2Organizational.1-02.a |
0105.02a2Organizational.1-02.a |
01 Information Protection Program |
0105.02a2Organizational.1-02.a 02.01 Prior to Employment |
Shared |
n/a |
Risk designations are assigned for all positions within the organization as appropriate, with commensurate screening criteria, and reviewed/revised every 365 days. |
|
6 |
| hipaa |
0106.02a2Organizational.23-02.a |
hipaa-0106.02a2Organizational.23-02.a |
0106.02a2Organizational.23-02.a |
01 Information Protection Program |
0106.02a2Organizational.23-02.a 02.01 Prior to Employment |
Shared |
n/a |
The pre-employment process is reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates. |
|
4 |
| hipaa |
1432.05k1Organizational.89-05.k |
hipaa-1432.05k1Organizational.89-05.k |
1432.05k1Organizational.89-05.k |
14 Third Party Assurance |
1432.05k1Organizational.89-05.k 05.02 External Parties |
Shared |
n/a |
The organization ensures a screening process is carried out for contractors and third-party users, and, where contractors are provided through an organization, the contract with the organization clearly specifies (i) the organization's responsibilities for screening and the notification procedures they need to follow if screening has not been completed, or if the results give cause for doubt or concern; and, (ii) all responsibilities and notification procedures for screening. |
|
7 |
| ISO27001-2013 |
A.7.1.1 |
ISO27001-2013_A.7.1.1 |
ISO 27001:2013 A.7.1.1 |
Human Resources Security |
Screening |
Shared |
n/a |
Background verification checks for all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
link |
3 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
| NIST_SP_800-171_R2_3 |
.9.1 |
NIST_SP_800-171_R2_3.9.1 |
NIST SP 800-171 R2 3.9.1 |
Personnel Security |
Screen individuals prior to authorizing access to organizational systems containing CUI. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions. |
link |
2 |
| NIST_SP_800-53_R4 |
PS-3 |
NIST_SP_800-53_R4_PS-3 |
NIST SP 800-53 Rev. 4 PS-3 |
Personnel Security |
Personnel Screening |
Shared |
n/a |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].
Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2.
References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. |
link |
3 |
| NIST_SP_800-53_R5 |
PS-3 |
NIST_SP_800-53_R5_PS-3 |
NIST SP 800-53 Rev. 5 PS-3 |
Personnel Security |
Personnel Screening |
Shared |
n/a |
a. Screen individuals prior to authorizing access to the system; and
b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. |
link |
3 |
| PCI_DSS_v4.0 |
12.7.1 |
PCI_DSS_v4.0_12.7.1 |
PCI DSS v4.0 12.7.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Personnel are screened to reduce risks from insider threats |
Shared |
n/a |
Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources. |
link |
3 |
| SWIFT_CSCF_v2022 |
5.3A |
SWIFT_CSCF_v2022_5.3A |
SWIFT CSCF v2022 5.3A |
5. Manage Identities and Segregate Privileges |
To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. |
Shared |
n/a |
Staff operating the local SWIFT infrastructure are screened prior to initial appointment in that role and periodically thereafter. |
link |
5 |