Navigate

PS-8

PS-8: Personnel Sanctions

The organization:

a: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

b: Notifies [one of ] within [one of ] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Supplemental

Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-8.

Control	Description
PL-4	The organization: a: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c: Reviews and updates the rules of behavior [one of ]; and d: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
PS-6	The organization: a: Develops and documents access agreements for organizational information systems; b: Reviews and updates the access agreements [one of ]; and c: Ensures that individuals requiring access to organizational information and information systems: 1: Sign appropriate access agreements prior to being granted access; and 2: Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [one of ].

Control

Description

PL-4

The organization:

a: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

b: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

c: Reviews and updates the rules of behavior [one of ]; and

d: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

PS-6

The organization:

a: Develops and documents access agreements for organizational information systems;

b: Reviews and updates the access agreements [one of ]; and

c: Ensures that individuals requiring access to organizational information and information systems:
- 1: Sign appropriate access agreements prior to being granted access; and
- 2: Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [one of ].

Enhancements

The controls below (if any) add on to the requirements of PS-8.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PS-8.

CCI	Definition
CCI-001542	The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures.
CCI-003044	Notify organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
CCI-003045	Defines personnel or roles who are to be notified when a formal employee sanctions process is initiated.
CCI-003046	Defines the time period within which to notify organization-defined personnel or roles when a formal employee sanctions process is initiated.