CCI-003045

Defines personnel or roles who are to be notified when a formal employee sanctions process is initiated.

Implementation Guidance

Determine if [PS-08_ODP[01]; personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined] is/are notified within [PS-08_ODP[02]; the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Validation Procedures

Examine: [SELECT FROM: Personnel security policy; personnel security procedures; procedures addressing personnel sanctions; access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements); list of personnel or roles to be notified of formal employee sanctions; records or notifications of formal employee sanctions; system security plan; privacy plan; personally identifiable information processing policy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; legal counsel; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for managing formal employee sanctions; mechanisms supporting and/or implementing formal employee sanctions notifications].

The controls below (if any) were marked by NIST as being related to CCI-003045.