Navigate

CCI-000592

CCI-000592 Definition

Establish the rules that describe their responsibilities and expected behavior, for information and system usage, for individuals requiring access to the system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system. - rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system.

Validation Procedures

Examine: [SELECT FROM: Security and privacy planning policy; procedures addressing rules of behavior for system users; rules of behavior; signed acknowledgements; records for rules of behavior reviews and updates; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior; organizational personnel with responsibility for literacy training and awareness and role-based training; organizational personnel who are authorized users of the system and have signed and resigned rules of behavior; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior; mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000592.

Control	Description
PL-4	a: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c: Review and update the rules of behavior [frequency for reviewing and updating the rules of behavior is defined;] ; and d: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [one or more of "{{ insert: param, pl-04_odp.03 }} "/"when the rules are revised or updated"].

Control

Description

PL-4

a: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

b: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

c: Review and update the rules of behavior [frequency for reviewing and updating the rules of behavior is defined;] ; and

d: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [one or more of "{{ insert: param, pl-04_odp.03 }} "/"when the rules are revised or updated"].