CCI-003043

Defines the time period for external providers to notify organization-defined personnel or roles when external personnel who possess organizational credentials and/or badges, or who have system privileges are transferred or terminated.

Implementation Guidance

Determine if external providers are required to notify [PS-07_ODP[01]; personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess Organizational credentials and/or badges or who have system privileges is/are defined] of any personnel transfers or terminations of external personnel who possess Organizational credentials and/or badges or who have system privileges within [PS-07_ODP[02]; time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess Organizational credentials and/or badges or who have system privileges is defined].

Validation Procedures

Examine: [SELECT FROM: Personnel security policy; procedures addressing external personnel security; list of personnel security requirements; acquisition documents; service-level agreements; compliance monitoring process; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; external providers; system/network administrators; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for managing and monitoring external personnel security; mechanisms supporting and/or implementing the monitoring of provider compliance].

The controls below (if any) were marked by NIST as being related to CCI-003043.