Navigate

PS-8

PS-8: Personnel Sanctions

a: Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

b: Notify [personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;] within [the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Supplemental

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-8.

Control	Description
PL-4	a: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c: Review and update the rules of behavior [frequency for reviewing and updating the rules of behavior is defined;] ; and d: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [one or more of "{{ insert: param, pl-04_odp.03 }} "/"when the rules are revised or updated"].
PM-12	Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
PS-6	a: Develop and document access agreements for organizational systems; b: Review and update the access agreements [the frequency at which to review and update access agreements is defined;] ; and c: Verify that individuals requiring access to organizational information and systems: 1: Sign appropriate access agreements prior to being granted access; and 2: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [the frequency at which to re-sign access agreements to maintain access to organizational information is defined;].
PT-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] personally identifiable information processing and transparency policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b: Designate an [an official to manage the personally identifiable information processing and transparency policy and procedures is defined;] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c: Review and update the current personally identifiable information processing and transparency: 1: Policy [the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;] and following [events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;] and following [events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;].

Enhancements

The controls below (if any) add on to the requirements of PS-8.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PS-8.

CCI	Definition
CCI-003044	Notify organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
CCI-003045	Defines personnel or roles who are to be notified when a formal employee sanctions process is initiated.
CCI-003046	Defines the time period within which to notify organization-defined personnel or roles when a formal employee sanctions process is initiated.
CCI-004521	Employ a formal sanctions process for individuals failing to comply with established information security policies.
CCI-004522	Employ a formal sanctions process for individuals failing to comply with established information security procedures.