1908 Personnel Security Policy

Department of Human Services
Online Directives Information System

Index:

POL1908

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise Personnel Security Policy, for managing risks from personnel screening, termination, management and third-party access, through the establishment of an effective security planning program. The personnel security program helps DHS implement security best practices with regard to personnel screening, termination, transfer and management.

Authority

United States Department of Commerce National Institute for Standards and Technology (NIST)
United States Internal Revenue Service
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
Georgia Technology Authority
Social Security Administration
Federal Bureau Investigation (Criminal Justice Information Services)

References

United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5, January 2020
United States Internal Revenue Service, IRS Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies Safeguards for Protecting Federal Tax Returns and Return Information
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-100 “Information Security Handbook: A Guide for Managers” March 2007
Federal Information Security Management Act of 2002 (FISMA)
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
Georgia Technology Authority Enterprise Information Security Policy
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
Criminal Justice Information Services Security Policy
ACF/OCSS - Security Agreement

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Media: Data storage material divided into three broad categories according to the recording method: (1) Magnetic, such as diskettes, disks, tapes, (2) Optical, such as microfiche, and (3) Magneto-Optical, such as CDs and DVDs
Controlled Unclassified Information (CUI): Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Personnel Security principles established in NIST SP 800-53 “Personnel Security,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Personnel Security standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

PS-1 Personnel Security Procedures

Develop, document, and disseminate to designated agency personnel:
1. All organizational level personnel security policy that:
  1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the personnel security policy and the associated controls.
Designate an agency official to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
Review and update the current personnel security:
1. Policy every one (1) year (or if there is a significant change); and
2. Procedures every one (1) year, (or when there is a significant change).

PS-2 Position Risk Designation

Assign a risk designation to all organizational positions;
Establish screening criteria for individuals filling those positions; and
Review and update position risk designations at least every one (1) year. Additionally, update them when recruitment actions are taken or when position descriptions are changed, rewritten or realigned.

PS-3 Personnel Screening

Screen individuals prior to authorizing access to the system and CUI; and
Re-screen individuals in accordance with agency-defined conditions requiring re-screening but no less than once every five years.

PS-4 Personnel Termination

Upon employee or contractor termination, the agency:
1. Disable system access within one (1) business day;
2. Terminate or revoke any authenticators and credentials associated with the individual;
3. Conduct exit interviews that include a discussion of information security topics, specifically nondisclosure agreements;
4. Retrieve all security-related organizational system-related property; and
5. Retain access to organizational information and systems formerly controlled by terminated individual.
6. Notify organization-defined personnel upon termination.

PS-5 Personnel Transfer

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;
Initiate transfer or when warranted extended reassignment actions to ensure all system accesses no longer required (e.g., need to know) are removed or disabled within twenty-four (24) hours;
Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
Notify designated agency personnel within twenty-four (24) hours of transfer.

PS-6 Access Agreements

Develop and document access agreements for organizational systems;
Review and update the access agreements at a minimum annually; and
Verify that individuals requiring access to organizational information and systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or at a minimum annually.

SSA.1

SSA requires that contracts for periodic disposal/destruction of case files or other print media contain a non-disclosure agreement signed by all personnel who will encounter products that contain SSA data.

PS-6 (3) Post-Employment Requirements:

Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

PS-7 External Personnel Security

Establish personnel security requirements, including security roles and responsibilities for external providers;
Require external providers to comply with personnel security policies and procedures established by the organization;
Document personnel security requirements;
Require external providers to notify designated agency personnel of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within twenty-four (24) hours; and
Monitor provider compliance with personnel security requirements.

SSA.1

The service level agreements with the contractors and agents must contain non-disclosure language as it pertains to SSA data. The state organization must retain the non-disclosure agreements for at least five (5) to seven (7) years for all contractors and agents who processes, views, or encounters SSA data as part of their duties

PS-8 Personnel Sanctions

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
Notify designated agency personnel within twenty-four (24) hours when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

If an employee, contractor, or agent is subject to an adverse administrative action by the organization (e.g., reduction in pay, disciplinary action, termination of employment), the organization should remove his or her access to the CUI in advance of the adverse action to reduce the possibility that the employee will perform unauthorized activities that involve CUI.

PS-9 Position Descriptions

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

History

Date

Change

User

Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.