Human Resources Security Controls
Purpose
Bramble creates a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration through sound hiring practices and ongoing personnel management.
Scope
This applies to all Bramble Group, Corp. employees
Ownership
This control is owned by People Operations.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| HRS-01 | Human Resources Security Management | Bramble Group Corp. has implemented mechanisms to facilitate personnel security controls. | Does the organization facilitate the implementation of personnel security controls? | 1. Identify policies and procedures responsible for personnel security controls. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify how personnel security controls are defined. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct personnel security controls and document in accordance to TOD. |
| HRS-02 | Position Categorization | Bramble Group Corp. has implemented mechanisms to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions. | Does the organization manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions? | 1. Identify policies and procedures responsible for the assignment of risk designations to all positions and screening criteria for individuals filling those positions. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify how personnel are screened and designated. 2. Obtain a population of all personnel and their risk categories. 3. Examine results to confirm all individuals are not prone to increased risk and have been appropriately screened. 4. Interview key organizational personnel conducting discussions for evidence that mechanisms exist to properly screen individuals and document in accordance to TOD. 5. Confirm the frequency of reviews, updates and revisions on an organization-defined frequency. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct personnel security controls and document in accordance to TOD. |
| HRS-03 | Roles & Responsibilities | Bramble Group Corp. has implemented mechanisms to define cybersecurity responsibilities for all personnel and ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set. | Does the organization define cybersecurity responsibilities for all personnel? | 1. Identify policies and procedures responsible for personnel security controls outlining appropriate job responsibilities and skill-sets. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify necessary skill-set requirements for all security-related positions. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct reviews required for qualified individuals to have the necessary skill sets required for personnel security controls and document in accordance to TOD. |
| HRS-04 | Personnel Screening | Bramble Group Corp. has implemented mechanisms to manage personnel security risk and formally indoctrinate all the relevant types of information to which an individual would have access to by following organized-defined special protections of screening individuals prior to authorizing access to a system that stores, transmits or processes sensitive information. | Does the organization manage personnel security risk by screening individuals prior to authorizing access? | 1. Identify policies and procedures responsible for screening requirements such as background checks to reflect the needs to protect data to a system that stores, transmits or processes sensitive information by applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify what type of screening requirements are implemented. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct screening requirement checks and reviews and document in accordance to TOD. 3. Pull a population of all users. 4. Examine a sample set of users for evidence that screening checks such as background checks have been completed. |
| HRS-05 | Terms of Employment | Bramble Group Corp. has implemented mechanisms requiring all employees and contractors to apply security and privacy principles in their daily work defined by acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior. | Does the organization require all employees and contractors to apply security and privacy principles in their daily work? | 1. Identify policies and procedures responsible to determine what rules of behavior have been implemented for employees and contractors to apply security and privacy principles in their daily work and for the use of technologies. 2. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation such as the Code of Conduct to appropriately identify expected behavior and disciplinary actions of violations. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to discipline individuals with violations towards expected behavior and document in accordance to TOD. 3. Pull a population of all users. 4. Examine a sample set of users for evidence that documents such as the Code of Conduct have been reviewed and signed as acknowledgment. |
| HRS-06 | Access Agreements | Bramble Group Corp. has implemented mechanisms to require employees and third-party users to sign appropriate access agreements such as Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details prior to being granted access. | Does the organization require internal and third-party users to sign appropriate access agreements prior to being granted access? | 1. Identify policies and procedures responsible for access agreements such as NDAs to reflect the needs to protect data and operational details for employees and third-party users. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify what type of documents are provided and signed to provide access. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct checks and reviews on access agreements for employees and third-party users and document in accordance to TOD. 3. Pull a population of all users signed agreements. 4. Examine a sample set of users for evidence that access agreements were signed. |
| HRS-07 | Personnel Sanctions | Bramble Group Corp. has implemented mechanisms to sanction personnel failing to comply with established security policies, standards and procedures by conducting employee misconduct investigations when there is reasonable assurance that a policy has been violated. | Does the organization sanction personnel failing to comply with established security policies, standards and procedures? | 1. Identify policies and procedures responsible to determine what formal sanctions have been implemented for personnel failing to comply with security policies. 2. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify expected behavior and disciplinary actions of violations. 2. Interview key organizational within Bramble personnel conducting discussions for evidence that mechanisms exist to discipline individuals with violations towards expected behavior and document in accordance to TOD. |
| HRS-08 | Personnel Transfer | Bramble Group Corp. has implemented mechanisms to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner. | Does the organization adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner? | 1. Identify policies and procedures responsible for governing the reassignment or transfer of personnel. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify individuals were transferred or reassigned accurately. 2. Confirm information system access credentials were adjusted upon personnel reassignment or transfer within a defined time period. |
| HRS-09 | Personnel Termination | Bramble Group Corp. has implemented mechanisms to govern the termination of individual employment by retrieving organization-owned assets upon termination, expediting the process of removing “high risk” individual’s access to systems and applications upon termination, as determined by management and governing third-party personnel by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information. | Does the organization govern the termination of individual employment? | 1. Identify policies and procedures responsible for governing the termination of individual employment. 2. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify individuals were terminated accurately. 2. Confirm information system access credentials were revoked upon termination of individual employment within a defined time period and/or expediting the process of removing “high risk” individual’s access to systems and applications upon termination. 3. Confirm exit interviews were conducted for terminated individuals notifying of applicable, legally binding post-employment requirements for the protection of organizational information. 4. Confirm retrieval of all security-related organizational information and system-related property such as organization-owned assets upon termination. |
| HRS-10 | Third-Party Personnel Security | Bramble Group Corp. has implemented mechanisms to govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities. | Does the organization govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities? | 1. Identify policies and procedures responsible for personnel security controls for third-party providers. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify how personnel security controls are defined for third-party providers. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct personnel security controls for third-party providers and document in accordance to TOD. |
| HRS-11 | Separation of Duties | Bramble Group Corp. has implemented mechanisms to maintain Separation of Duties (SoD) to prevent potential malevolent activity without collusion. | Does the organization implement and maintain Separation of Duties (SoD) to prevent potential malevolent activity without collusion? | 1. Identify policies and procedures responsible for implementing SoD (Separation of Duties) to prevent potential malevolent activity without collusion. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify levels of access to prevent potential malicious activity. 2. Pull a population of all system user accounts for evidence that proper access levels are assigned to provide separation of duties according to documentation identified in the ToD. |
| HRS-13 | Identify Critical Skills & Gaps | Bramble Group Corp. has implemented mechanisms to evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist. | Does the organization evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist? | Reference SAT-01 - Security & Privacy-Minded Workforce | Reference SAT-01 - Security & Privacy-Minded Workforce |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.