Site icon

StateRAMP and Personnel Security

As the old saying goes, the weakest link in any security system is the user. This isn’t an insult but rather a commentary on the impossibility of eliminating every vulnerability in a system that humans have to use daily. In terms of actually mitigating direct security threats associated with users, however, there can be no mincing of words. That’s why StateRAMP includes several critical security controls to address personnel security. 

 

Why Is Personnel Security Important?

Many approaches to cybersecurity focus on either external threats or system vulnerabilities. But internal threats, or those associated with employees or other personnel, are very real and very dangerous. That’s because a few critical situations open organizations to potential attacks or data loss. 

These situations include:

Because it is a complete security standard, adopting requirements from federal guidelines, StateRAMP includes several critical controls to manage personnel security. 

 

StateRAMP and Personnel Security Controls (PS)

StateRAMP is a derivation of FedRAMP security, and as such, it pulls select controls from that standard. This context includes several controls from the Personnel Security (PS) family of controls found in NIST Special Publication 800-53.

Furthermore, StateRAMP documentation designates specific Impact Levels that each control applies to Low, Low+, and Moderate.

These controls include:

 

Security Policies and Procedures (PS-1)

A compliant organization must create, produce, and disseminate clear policies and procedures around personnel risk. These policies should address specific risks and challenges relevant to the organization, data handling, and business operations. Furthermore, the organization should define and fill a designated role within the organization whose responsibility it is to maintain and update these policies and procedures as needed. This control is a requirement at every Impact Level within StateRAMP.

 

Position Risk Designation (PS-2)

Each and every position within the organization has the potential to expose it to risk. Therefore, PS-2 requires that the organization assign a risk category to all positions depending on their proximity to sensitive data and systems. Following that, the organization must establish screening criteria for each position, with more sensitive positions (those touching on PII or PHI, for example) requiring more extensive background checks. These risk categories must be regularly reviewed and updated based on changing security and organizational factors.

This control is only required at StateRAMP Moderate levels.

 

Personnel Screening (PS-3)

Organizations must conduct screening procedures for the positions outlined in PS-2. These screening methods may include background, agency, credit, referral, or identity verification checks. 

In addition, several enhancements could play a role in this category but only come into play for federal agencies that may handle sensitive classified information.

 

Personnel Termination (PS-4)

If an employee is terminated, an organization must address any accounts or privileges associated with that user and their role. When an employee is terminated, the organization must:

 

The exit interview should not be a performance or company evaluation–instead, the organization must establish precise termination requirements, including reminders for non-disclosure agreements or collecting credentials.

 

Personnel Transfer (PS-5)

Even if an employee is transferred within the organization (and is, obviously, still part of that organization), the organization must follow several critical security procedures. These include:

 

Access Agreements (PS-6)

All organizations must have access agreements that define and adjudicate how users interact with internal systems and data. Agreements can include NDAs, acceptable use documents, terms of service, and conflict-of-interest agreements. These agreements must be regularly reviewed and updated to reflect new operations and infrastructure, and the organization must retain records of personnel signatures.

 

External Personnel Security (PS-7)

For any vendor or MSP relationship involving external personnel and internal data or systems, the organization must have requirements and policies in place to protect that data. 

The specifics of this control include:

 

Personnel Sanctions (PS-8)

An organization must have consequences for individuals violating security requirements and agreements. These consequences must be communicated to the individual, independently documented, and available to that individual for review at any time. Additionally, if sanctions are enacted against personnel, that individual or individuals must be notified within a predetermined period.

 

Monitor Personnel Security Controls with Continuum GRC

You should always take personnel security seriously–if not for compliance, simply to protect your critical assets. With the Continuum GRC Platform, you can identify, monitor, and maintain your PS controls in real-time while managing StateRAMP compliance.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version