The Personnel Security family is the tenth family in the NIST 800-171 standard. This family addresses your screening processes that are in place for employees, contractors and others who access your systems.
Why is Personnel Security important?
Much of our ability to build and maintain a secure system is based on the people that we choose to trust. Employees, contractors, third-party vendors and others in our supply chain are trusted with access to our systems. We must make sure that people are trustworthy and aware of our cybersecurity policies and procedures. We also need to ensure that each person who has access to our system has the correct level of access to perform their necessary job functions. If an individual has a higher level of access than is required, they may be able to harm the system with or without intention. We also need to remove access during the off-boarding process. A terminated or disgruntled employee who maintains access to our system can destroy, steal or block access to our assets.
What is Personnel Security about in NIST 800-171?
The Personnel Security family consists of only two controls. The focus of this family is on screening and access authorization policies for employees, contractors and others who should have access to your systems. The key points in this family are:
- Screening prior to authorizing access—Include a background check and other standard screening processes before granting anyone access to your systems. This is typically done pre-hire, during onboarding or prior to a contract award. Screening should also be ongoing.
- Terminating access during off-boarding processes—terminate access or authorization immediately upon an employee exit or contract end.
- Modifying access authorizations based on need—regularly assess access authorizations needs for employees and contractors. Make necessary modifications that may arise due to any change in assignment or transfer.
Check back for our next blog post and learn more about the Risk Assessment family. You may also be interested in reading our last post on Physical Protection (link).
—
Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.