StateRAMP and Personnel Security
As the old saying goes, the weakest link in any security system is the user. This isn’t an insult but rather a commentary on the impossibility of eliminating every vulnerability in a system that humans have to use daily. In terms of actually mitigating direct security threats associated with users, however, there can be no mincing of words. That’s why StateRAMP includes several critical security controls to address personnel security.
Why Is Personnel Security Important?
Many approaches to cybersecurity focus on either external threats or system vulnerabilities. But internal threats, or those associated with employees or other personnel, are very real and very dangerous. That’s because a few critical situations open organizations to potential attacks or data loss.
These situations include:
- Insider Threats: Insider threats are those associated with malicious actors within the organization. These individuals may be victims of blackmail or willing participants in data theft or espionage activities. These threats are particularly dangerous because an insider may have access and privileges that could cause significant issues if they exploit them for nefarious purposes.
- Inadvertent Vulnerabilities: Some threats don’t originate from malicious activity but simple human resource mistakes. These can include failure to remove or delete access to system resources once a user resigns or is terminated from an organization.
- Third-Party Vendors: With organizations increasingly relying on third-party vendors and managed service providers, the potential for security risks and data exposure are high. It’s critical, then, that any group using managed services or service vendors vet and audit those relationships, specifically as they relate to how external personnel interacts with internal systems.
Because it is a complete security standard, adopting requirements from federal guidelines, StateRAMP includes several critical controls to manage personnel security.
StateRAMP and Personnel Security Controls (PS)
StateRAMP is a derivation of FedRAMP security, and as such, it pulls select controls from that standard. This context includes several controls from the Personnel Security (PS) family of controls found in NIST Special Publication 800-53.
Furthermore, StateRAMP documentation designates specific Impact Levels that each control applies to Low, Low+, and Moderate.
These controls include:
Security Policies and Procedures (PS-1)
A compliant organization must create, produce, and disseminate clear policies and procedures around personnel risk. These policies should address specific risks and challenges relevant to the organization, data handling, and business operations. Furthermore, the organization should define and fill a designated role within the organization whose responsibility it is to maintain and update these policies and procedures as needed. This control is a requirement at every Impact Level within StateRAMP.
Position Risk Designation (PS-2)
Each and every position within the organization has the potential to expose it to risk. Therefore, PS-2 requires that the organization assign a risk category to all positions depending on their proximity to sensitive data and systems. Following that, the organization must establish screening criteria for each position, with more sensitive positions (those touching on PII or PHI, for example) requiring more extensive background checks. These risk categories must be regularly reviewed and updated based on changing security and organizational factors.
This control is only required at StateRAMP Moderate levels.
Personnel Screening (PS-3)
Organizations must conduct screening procedures for the positions outlined in PS-2. These screening methods may include background, agency, credit, referral, or identity verification checks.
In addition, several enhancements could play a role in this category but only come into play for federal agencies that may handle sensitive classified information.
Personnel Termination (PS-4)
If an employee is terminated, an organization must address any accounts or privileges associated with that user and their role. When an employee is terminated, the organization must:
- Disable system access for that user
- Remove authentication credentials, both physical and digital
- Conduct exit interviews with that employee
- Retrieve all security- or data-related property and any other information.
The exit interview should not be a performance or company evaluation–instead, the organization must establish precise termination requirements, including reminders for non-disclosure agreements or collecting credentials.
Personnel Transfer (PS-5)
Even if an employee is transferred within the organization (and is, obviously, still part of that organization), the organization must follow several critical security procedures. These include:
- Reviewing any need for the transferred employee to retain access to local systems after transfer. In some cases, transferred employees may need, in part or whole, access to global systems while losing privileges for a specific infrastructure (for example, physical access to localized data centers or workstations).
- Modifying any system authorizations to match the new role, responsibilities, and location of the employee.
- Notifying all relevant internal stakeholders, including management, IT, and security personnel, of the transfer to ensure that all relevant processes are completed as needed.
Access Agreements (PS-6)
All organizations must have access agreements that define and adjudicate how users interact with internal systems and data. Agreements can include NDAs, acceptable use documents, terms of service, and conflict-of-interest agreements. These agreements must be regularly reviewed and updated to reflect new operations and infrastructure, and the organization must retain records of personnel signatures.
External Personnel Security (PS-7)
For any vendor or MSP relationship involving external personnel and internal data or systems, the organization must have requirements and policies in place to protect that data.
The specifics of this control include:
- Creating requirements for external personnel defining roles, responsibilities, and limitations (access agreements).
- Contractually require that all external personnel adhere to these requirements.
- Require notifications from vendors of transfers, changes, or terminations that affect personnel with access to organizational systems and information (for example, those with internal authentication credentials or physical access to sensitive areas).
Personnel Sanctions (PS-8)
An organization must have consequences for individuals violating security requirements and agreements. These consequences must be communicated to the individual, independently documented, and available to that individual for review at any time. Additionally, if sanctions are enacted against personnel, that individual or individuals must be notified within a predetermined period.
Monitor Personnel Security Controls with Continuum GRC
You should always take personnel security seriously–if not for compliance, simply to protect your critical assets. With the Continuum GRC Platform, you can identify, monitor, and maintain your PS controls in real-time while managing StateRAMP compliance.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.