Navigate

PS-5

PS-5: Personnel Transfer

The organization:

a: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

b: Initiates [one of ] within [one of ];

c: Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

d: Notifies [one of ] within [one of ].

Supplemental

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-5.

Control	Description
AC-2	The organization: a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [one of ]; b: Assigns account managers for information system accounts; c: Establishes conditions for group and role membership; d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e: Requires approvals by [one of ] for requests to create information system accounts; f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [one of ]; g: Monitors the use of information system accounts; h: Notifies account managers: 1: When accounts are no longer required; 2: When users are terminated or transferred; and 3: When individual information system usage or need-to-know changes; i: Authorizes access to the information system based on: 1: A valid access authorization; 2: Intended system usage; and 3: Other attributes as required by the organization or associated missions/business functions; j: Reviews accounts for compliance with account management requirements [one of ]; and k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
IA-4	The organization manages information system identifiers by: a: Receiving authorization from [one of ] to assign an individual, group, role, or device identifier; b: Selecting an identifier that identifies an individual, group, role, or device; c: Assigning the identifier to the intended individual, group, role, or device; d: Preventing reuse of identifiers for [one of ]; and e: Disabling the identifier after [one of ].
PE-2	The organization: a: Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b: Issues authorization credentials for facility access; c: Reviews the access list detailing authorized facility access by individuals [one of ]; and d: Removes individuals from the facility access list when access is no longer required.
PS-4	The organization, upon termination of individual employment: a: Disables information system access within [one of ]; b: Terminates/revokes any authenticators/credentials associated with the individual; c: Conducts exit interviews that include a discussion of [one of ]; d: Retrieves all security-related organizational information system-related property; e: Retains access to organizational information and information systems formerly controlled by terminated individual; and f: Notifies [one of ] within [one of ].

Enhancements

The controls below (if any) add on to the requirements of PS-5.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PS-5.

CCI	Definition
CCI-001527	Review and confirm the ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization.
CCI-001528	Initiate organization-defined transfer or reassignment actions within an organization-defined time period following the formal personnel transfer action.
CCI-001529	Defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action.
CCI-001530	Defines the time period within which the organization initiates organization-defined transfer or reassignment actions following the formal personnel transfer action.
CCI-003031	Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.
CCI-003032	Notify organization-defined personnel or roles within an organization-defined time period when individuals are transferred or reassigned to other positions within the organization.
CCI-003033	Defines personnel or roles to be notified when individuals are transferred or reassigned to other positions within the organization.
CCI-003034	Defines the time period within which organization-defined personnel or roles are to be notified when individuals are transferred or reassigned to other positions within the organization.