Personnel Basic and Derived

00:04

Okay, I'm next to Main personnel Security. This one short and sweet. Ah, this is the only one where we have basic security requirements and no derived security requirements. So our basic security requirements are screen individuals prior to authorizing access to systems

00:22

with controlled unclassified information.

00:25

So how might we scream? There's individuals. Well, we'll check references will do a background check will see, check their security clearance. Maybe they're certifications, whatever that may be. But before giving access to assist with sensitive information, we have to screen those individuals.

00:44

The second

00:46

ensure that, See you, I and systems containing see why are protected during and after personnel actions such it's terminations and transfers. You know, terminations could be a very delicate situation. And many times the termination could be,

01:06

um,

01:07

uh, you know, an amicable termination if you would, uh, or sometimes these things can be contentious. But the bottom line is we need to have good personnel policy in place. How do we handle a termination that is contentious?

01:23

You know? Well, one of the things that we do is we terminate their credentials,

01:27

and we want that to be in line with the point in time of termination. So I don't want to revoke credentials at eight and the terminations gonna happen at noon. I also don't want the reverse to be true. I need to make sure that once the individual has been notified of his termination,

01:45

then those credentials should immediately have been revoked.

01:49

Um,

01:51

and really? And that's true with amicable terminations as well. You know, once the termination process begins, then credentials are revoked. You know, this may be the type of element where sometimes someone's leaving the organization and they give notice.

02:07

Well, in that instance, what we might want to do is create maybe a temporary account with somewhat limited access.

02:14

One of the things that I've certainly found is once people give notice, they sort of check out mentally. Also, if it's again a contentious termination, that person still is gonna be working out of notice. You know hell hath no fury like a disgruntled employee, so we want to be very cautious

02:34

in those instances. So basically, screen your individuals before you hire them

02:38

and have a proper excuse me have a proper termination policy in place for when they leave, also for transfers when you're being transferred from one organization to another, really usually more one department to another. But you know, we have this issue that's called authorization,

02:59

and what happens with authorization creep is as I move from system to system from department to department, I tend to accumulate rights and permissions. Why? Because I'm given new permissions and new rights for my new position. But often

03:15

we failed to go back and revoke the rights from the previous position.

03:20

So a couple of ways that that's mitigated the first is role based access control,

03:24

right? So with role based access control, I don't have an account. Kelly H. I have an account of Trainer one,

03:32

and if I moved to sales department, I'm giving a sales. I'm giving a sales account and the Kelly in the ER

03:40

the trainer. One account is disable, So ultimately, my access is driven by my role in the organization, and that keeps me as an individual from accumulating rights and permissions across many boundaries. Another way that we can mitigate that is tohave

03:57

a scheduled review of user accounts and audit