PS-6 Third-Party Personnel Security
Control: Establish personnel security requirements for third-party providers (for example, service bureaus, contractors, and other organizations providing system development, information technology services, outsourced applications, network, and security management) and monitors provider compliance to ensure adequate security.
Illustrative Controls and TIBCO LogLogic Solution
Auditors sample employment records and cross-check changes in employment against changes in access rights as identified in historical system logs. They also cross-check changes in shared passwords against these same employment records.
Administrators are required to demonstrate that user access privileges are modified and revoked in a timely manner upon job change or termination. Review reports and alerts on account activities, accounts created or deleted, group members added or deleted, and successful logins to VPN concentrators and critical servers.
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed. When a person changes jobs or is terminated from a company, user access privileges must be modified according to the company’s business guidelines.
To satisfy this requirement, administrators must periodically ensure that only current and authorized employees have access to the servers and systems. Administrators must ensure that all terminated users have been disabled. In addition, administrators must ensure that logins to servers and permissions assigned to users who changed jobs are appropriate for the new role they are in.
To ensure, if the preceding requirements are met, administrators must review reports of all user deletions and group member modifications. This ensures terminated users are removed and users who changed jobs have been removed from the appropriate groups.
TIBCO LogLogic access reports and alerts, that have the details of accounts and groups being removed, are used to validate if the access to electronic protected health information has been terminated, as part of this addressable Control. Access reports and alerts are reviewed to ensure that anyone terminated does not retain access or has any system or network activity following the termination.