Time
1 hour 27 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This lesson covers Domain 11, personnel security. This only has basic security requirements: 3.9.1 and 3.9.2. There are no derived security requirements.

Video Transcription

00:04
Okay, I'm next to Main personnel Security. This one short and sweet. Ah, this is the only one where we have basic security requirements and no derived security requirements. So our basic security requirements are screen individuals prior to authorizing access to systems
00:22
with controlled unclassified information.
00:25
So how might we scream? There's individuals. Well, we'll check references will do a background check will see, check their security clearance. Maybe they're certifications, whatever that may be. But before giving access to assist with sensitive information, we have to screen those individuals.
00:44
The second
00:46
ensure that, See you, I and systems containing see why are protected during and after personnel actions such it's terminations and transfers. You know, terminations could be a very delicate situation. And many times the termination could be,
01:06
um,
01:07
uh, you know, an amicable termination if you would, uh, or sometimes these things can be contentious. But the bottom line is we need to have good personnel policy in place. How do we handle a termination that is contentious?
01:23
You know? Well, one of the things that we do is we terminate their credentials,
01:27
and we want that to be in line with the point in time of termination. So I don't want to revoke credentials at eight and the terminations gonna happen at noon. I also don't want the reverse to be true. I need to make sure that once the individual has been notified of his termination,
01:45
then those credentials should immediately have been revoked.
01:49
Um,
01:51
and really? And that's true with amicable terminations as well. You know, once the termination process begins, then credentials are revoked. You know, this may be the type of element where sometimes someone's leaving the organization and they give notice.
02:07
Well, in that instance, what we might want to do is create maybe a temporary account with somewhat limited access.
02:14
One of the things that I've certainly found is once people give notice, they sort of check out mentally. Also, if it's again a contentious termination, that person still is gonna be working out of notice. You know hell hath no fury like a disgruntled employee, so we want to be very cautious
02:34
in those instances. So basically, screen your individuals before you hire them
02:38
and have a proper excuse me have a proper termination policy in place for when they leave, also for transfers when you're being transferred from one organization to another, really usually more one department to another. But you know, we have this issue that's called authorization,
02:59
and what happens with authorization creep is as I move from system to system from department to department, I tend to accumulate rights and permissions. Why? Because I'm given new permissions and new rights for my new position. But often
03:15
we failed to go back and revoke the rights from the previous position.
03:20
So a couple of ways that that's mitigated the first is role based access control,
03:24
right? So with role based access control, I don't have an account. Kelly H. I have an account of Trainer one,
03:32
and if I moved to sales department, I'm giving a sales. I'm giving a sales account and the Kelly in the ER
03:40
the trainer. One account is disable, So ultimately, my access is driven by my role in the organization, and that keeps me as an individual from accumulating rights and permissions across many boundaries. Another way that we can mitigate that is tohave
03:57
a scheduled review of user accounts and audit
04:00
as well

Up Next

NIST 800-171 Controlled Unclassified Information Course

The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor