Domain 1 of 8 · Chapter 8 of 12

Personnel Security

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The employment lifecycle is the model for every personnel control
  • Hiring: designate the position's risk, then screen to it, then sign agreements
  • Transfer and termination: keep access matched to need, revoke promptly on exit
  • Insider-threat controls: separation of duties, least privilege, rotation, vacation
  • Third parties and policy compliance: vendors, consultants, contractors
  • Exam-pattern recognition: how personnel-security questions are framed

Personnel security lifecycle controls (NIST SP 800-53 PS family)

Lifecycle stageControlCore actionMost-tested point
Define the rolePS-2 Position Risk DesignationAssign a risk level to the position; set screening criteria from itScreening depth follows position risk, not a flat standard
HirePS-3 Personnel ScreeningScreen (background investigation) before authorizing access; rescreen per defined conditionsScreen before access is granted, deeper for higher-risk positions
Grant accessPS-6 Access AgreementsSign NDA, acceptable use, rules of behavior, conflict-of-interestAgreements are signed prior to access, not after
Move (internal)PS-5 Personnel TransferRe-evaluate and modify access to match the new role's needRemove no-longer-needed access; transfers cause privilege creep
LeavePS-4 Personnel TerminationDisable access, revoke credentials, exit interview, retrieve propertyPromptly; for-cause = disable access before notifying the person
Third partyPS-7 External Personnel SecurityBind contractors to your policy; require notice of their staff changesContractor offboarding is the vendor's contractual duty to report
Enforce / deterAC-5 SoD, AC-6 least privilege, rotation, vacationSplit duties, grant minimum, rotate jobs, force vacationsSoD prevents fraud without collusion; admin of access ≠ admin of audit

Decision tree

Is the person leaving theorganization?YesTerminate: disable + revoke (PS-4)For cause: disable access before notifyingNoChanging roles within theorganization?YesTransfer: re-evaluate (PS-5)Remove access; stop privilege creepNoIs the person joining(being hired)?YesDesignate risk, screen, sign agreementsPS-2 to PS-3 to PS-6, before accessNoWorry is one insider abusingauthorized access?YesSeparation of duties +least privilegeRotation + mandatory vacation to detectNoContractor / consultant?External personnel security in contract (PS-7)Always: access must track the person's current, justified needSupplier-org trustworthiness is supply-chain risk, not personnel security

Cheat sheet

  • Personnel security manages trust across the whole employment lifecycle
  • Screening depth follows the position's risk designation, not a flat standard
  • Screen the candidate before authorizing access, never after
  • Access agreements are signed before access is granted
  • The hiring order is fixed: designate risk, screen, sign agreements, then grant
  • On termination, run the PS-4 checklist immediately: disable, revoke, exit interview, retrieve
  • The exit interview reminds the departing employee of continuing NDA obligations
  • For a for-cause termination, disable access before notifying the person
  • Treat a transfer as re-onboarding to stop privilege creep
  • Separation of duties stops fraud that would otherwise need no collusion
  • Whoever administers access control must not also administer the audit logs
  • Mandatory vacation and job rotation detect fraud by trusted insiders
  • Contractors and consultants are bound to your personnel security through the contract
  • Personnel control of a contractor is distinct from supply-chain risk of the supplier
  • Personnel sanctions must run through a formal, documented process
  • Background-check scope is bounded by law and privacy, not just by role risk

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST glossary: personnel security (NIST SP 800-53 Rev. 5) Whitepaper
  2. NIST glossary: separation of duty (NIST SP 800-192) Whitepaper
  3. NIST glossary: least privilege (NIST SP 800-12 Rev. 1 / CNSSI 4009) Whitepaper