Navigate

CCI-001541

CCI-001541 Definition

The organization monitors third-party provider compliance with personnel security requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed monitors third-party provider compliance with personnel security requirements. The organization must maintain an audit trail of monitoring activity.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring activity to ensure the organization being inspected/assessed monitors third-party provider compliance with personnel security requirements.

Compelling Evidence

1.) Organizational audit logs of third party providers that verify compliance with personnel security requirements in the Service Level Agreements.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001541.

Control	Description
PS-7	The organization: PS-7a.: Establishes personnel security requirements including security roles and responsibilities for third-party providers; PS-7b.: Requires third-party providers to comply with personnel security policies and procedures established by the organization; PS-7c.: Documents personnel security requirements; PS-7d.: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and PS-7e.: Monitors provider compliance.

Control

Description

PS-7

The organization:

PS-7a.: Establishes personnel security requirements including security roles and responsibilities for third-party providers;

PS-7b.: Requires third-party providers to comply with personnel security policies and procedures established by the organization;

PS-7c.: Documents personnel security requirements;

PS-7d.: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and

PS-7e.: Monitors provider compliance.