Personnel security

Table of Contents

On this page

 

The controls and activities in the Personnel security (PS) family support the procedures required to ensure that all personnel who have access to systems have the necessary authorizations as well as the appropriate security screening levels. They ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers.

PS-01 Personnel security policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] personnel security policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
    2. procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures
  3. Review and update the current personnel security
    1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Personnel security policy and procedures for the controls in the PS family are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development.

In general, security and privacy program policies and procedures at the organization level are preferable and may remove the need for mission-level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

PM-09, PS-08, SI-02, SI-12.

Enhancements

None.

References

Top of page 
 

PS-02 Position security analysis

Control

  1. Determine the security screening requirements of all organizational positions
  2. Establish screening criteria for individuals filling those positions
  3. Review and update position security screening requirement [Assignment: organization-defined frequency]

Discussion

Security screening requirements reflect TBS policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The criteria for determining security screening requirements are established in accordance with the Position Analysis Tool and guidance issued by TBS. The level of security screening and access permissions are determined by the duties to be performed, the sensitivity of information, assets, or facilities to be accessed, the level of authority or control exercised by the position, and the degree of injury that could result from compromise of sensitive information, assets, or facilities to be accessed. The results of the position security analysis determine what level of inquiries, verifications, and assessments are conducted for a position.

Related controls and activities

AC-05, AT-03, PE-02, PE-03, PL-02, PS-03, PS-06, SA-05, SA-21, SI-12.

Enhancements

None.

References

Top of page 
 

PS-03 Personnel screening

Control

  1. Screen individuals prior to authorizing access to the system
  2. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]

Discussion

Personnel screening and rescreening activities reflect applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

Related controls and activities

AC-02, IA-04, MA-05, PE-02, PM-12, PS-02, PS-06, PS-07, SA-21.

Enhancements

  • (01) Personnel screening: Classified information
    • Verify that individuals accessing a system that processes, stores, or transmits classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
    • Discussion: None.
    • GC discussion: Classified information is the most sensitive information that the GC processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see AC-03) and flow controls (see AC-04).
    • Related controls and activities: AC-03, AC-04.
  • (02) Personnel screening: Formal indoctrination
    • Verify that individuals accessing a system that processes, stores, or transmits types of classified information that require formal indoctrination are formally indoctrinated for all the relevant types of information to which they have access on the system.
    • Discussion: None.
    • GC discussion: Types of classified information that require formal indoctrination include Special Access Program (SAP), Restricted Data (RD), and SCI.
    • Related controls and activities: AC-03, AC-04.
  • (03) Personnel screening: Information requiring special protective measures
    • Verify that individuals accessing a system that processes, stores, or transmits information requiring special protection:
      1. have valid access authorizations that are demonstrated by assigned official government duties
      2. satisfy [Assignment: organization-defined additional personnel screening criteria]
    • Discussion: None.
    • GC discussion: Organizational information that requires special protection includes protected information. Personnel security criteria include position sensitivity background screening requirements.
    • Related controls and activities: None.
  • (04) Personnel screening: Citizenship requirements
    • Verify that individuals accessing a system that processes, stores, or transmits [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements].
    • Discussion: None.
    • Related controls and activities: None.

References

Top of page 
 

PS-04 Personnel termination

Control

Upon termination of individual employment:

  1. disable system access within [Assignment: organization-defined time period]
  2. terminate or revoke any authenticators and credentials associated with the individual
  3. conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]
  4. retrieve all security-related, organizational system-related property
  5. retain access to organizational information and systems formerly controlled by the terminated individual

Discussion

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of non-disclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment.

The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations should consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

GC discussion

Exit interviews are important for individuals with security clearances. CSOs or delegated officials, in consultation with human resources advisors, must develop procedures and ensure that debriefings and reclamations are scheduled and conducted as a component of the overall termination process. The Security Screening Certificate and Screening Form is used to record that termination procedures have been completed.

Related controls and activities

AC-02, IA-04, PE-02, PM-12, PS-06, PS-07.

Enhancements

  • (01) Personnel termination: Post-employment requirements
      1. Notify terminated individuals of applicable, legally binding, post-employment requirements for the protection of organizational information
      2. Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process
    • Discussion: None.
    • GC discussion: In accordance with the TBS standard, terminated individuals shall receive a formal debriefing to remind them of their continuing responsibilities to maintain the confidentiality of the sensitive information to which they have had access.
    • Related controls and activities: None.
  • (02) Personnel termination: Automated actions
    • Use [Assignment: organization-defined automated mechanisms] to [Selection (1 or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources].
    • Discussion: In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner.
      Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, email, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated.
    • Related controls and activities: None.
  • (400) Personnel termination: Permanently bound to secrecy
    • Forward data on the form Record of a Person in a Scheduled Department or Agency Under the Security of Information Act (SOIA) to the Canadian Security Intelligence Service (CSIS).
    • Discussion: None.
    • GC discussion: As part of the departmental security exit process, if the departing member or employee has not already been entered into the CSIS central registry, the scheduled department should proceed by forwarding the data to CSIS. A departing person who was not previously designated as a person permanently bound to secrecy during the course of their employment can be designated as such upon termination, if it is assessed that it is in the interest of national security. If a decision is made to recommend to the deputy head that a former member or employee be designated, procedures for designation by notice shall be followed.
    • Related controls and activities: None.

References

Top of page 
 

PS-05 Personnel transfer

Control

  1. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization
  2. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]
  3. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer
  4. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]

Discussion

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing access to official records to which individuals had access at previous work locations and in previous system accounts.

Related controls and activities

AC-02, IA-04, PE-02, PM-12, PS-04, PS-07.

Enhancements

  • (400) Personnel transfer: Security clearance
      1. Accept the security status or clearance of the individual when the required one is at the same or lesser level previously granted
      2. Redo the security screening when
        1. the results are over 5 years old
        2. there is evidence to suggest that the security screening was not done in accordance with the TBS Directive on Security Screening
        3. there is a security waiver attached to the status or clearance
        4. law enforcement inquiries or security assessments results have been removed from the individual’s file
        5. there is adverse information in the individual’s file that may pose a security risk to the receiving department or agency
    • Discussion: None.
    • GC discussion: When enhanced screening is required for the new position, security screening will be reviewed accordingly. There may be a need to conduct additional inquiries, verification, or assessments to comply with the status or clearance requirements.
    • Related controls and activities: PS-03.

References

Top of page 
 

PS-06 Access agreements

Control

  1. Develop and document access agreements for organizational systems
  2. Review and update the access agreements [Assignment: organization-defined frequency]
  3. Verify that individuals requiring access to organizational information and systems
    1. sign appropriate access agreements prior to being granted access
    2. re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]

Discussion

Access agreements include non-disclosure agreements, acceptable use agreements, rules of behaviour, and conflict-of-interest agreements. Signed access agreements include an acknowledgment that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

Related controls and activities

AC-17, PE-02, PL-04, PS-02, PS-03, PS-06, PS-07, PS-08, SA-21, SI-12.

Enhancements

  • (01) Access agreements: Information requiring special protection
    • Withdrawn: incorporated into PS-03.
  • (02) Access agreements: Classified information requiring special protection
    • Verify that access to classified information requiring special protection is granted only to individuals who:
      1. have a valid access authorization that is demonstrated by assigned official government duties
      2. satisfy associated personnel security criteria
      3. have read, understood, and signed a non-disclosure agreement
    • Discussion: None.
    • GC discussion: Classified information that requires special protection includes collateral information, SAP information, and SCI. Personnel security criteria reflect applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.
    • Related controls and activities: None.
  • (03) Access agreements: Post-employment requirements
      1. Notify individuals of applicable, legally binding, post-employment requirements for protection of organizational information
      2. Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information
    • Discussion: Organizations comply with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines regarding matters of post-employment requirements on terminated individuals.
    • Related controls and activities: PS-04.

References

TBS Directive on Security Screening, Appendix F: Aftercare

Top of page 
 

PS-07 External personnel security

Control

  1. Establish personnel security requirements, including security roles and responsibilities for external providers
  2. Require external providers to comply with personnel security policies and procedures established by the organization
  3. Document personnel security requirements
  4. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]
  5. Monitor provider compliance with personnel security requirements
  6. The organization ensures security screening of private-sector organizations and individuals who have access to Protected and Classified information, assets, and facilities in accordance with the TBS Standard on Security Screening
  7. The organization explicitly defines government oversight and end-user roles and responsibilities relative to third-party-provided services in accordance with the TBS Directive on Security Management: Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control

Discussion

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, IT services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations.

Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

Related controls and activities

AT-02, AT-03, MA-05, PE-03, PS-02, PS-03, PS-04, PS-05, PS-06, SA-05, SA-09, SA-21.

Enhancements

None.

References

Top of page 
 

PS-08 Personnel sanctions

Control

  1. Employ a formal sanctions process for individuals who fail to comply with established information security and privacy policies and procedures
  2. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction

Discussion

None.

GC discussion

Organizational sanctions reflect applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations should consult with TBS regarding matters of employee sanctions.

Related controls and activities

PL-04, PM-12, PS-06, PT-01.

Enhancements

None.

References

TBS Guidelines for Discipline

Top of page 
 

PS-09 Position descriptions

Activity

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

Discussion

Specifying security and privacy roles in individual organizational position descriptions helps clarify the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

Related controls and activities

None.

Enhancements

None.

References

TBS Directive on Classification, Appendix B: Standard on Classification

 
Table of Contents
Date modified: