Red Hat Virtualization Host - Personnel Security

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
PS-1 Personnel Security Policy And Procedures

not applicable

PS-2 Position Risk Designation

not applicable

PS-3 Personnel Screening

not applicable

PS-3 (1) Classified Information
PS-3 (2) Formal Indoctrination
PS-3 (3) Information With Special Protection Measures
PS-4 Personnel Termination

not applicable

PS-4 (1) Post-Employment Requirements
PS-4 (2) Automated Notification
PS-5 Personnel Transfer

not applicable

PS-6 Access Agreements

not applicable

PS-6 (1) Information Requiring Special Protection
PS-6 (2) Classified Information Requiring Special Protection
PS-6 (3) Post-Employment Requirements
PS-7 Third-Party Personnel Security

not applicable

PS-8 Personnel Sanctions

not applicable




PS-1: Personnel Security Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and b. Reviews and updates the current: 1. Personnel security policy [Assignment: organization-defined frequency]; and 2. Personnel security procedures [Assignment: organization-defined frequency].

PS-1 Control Response Information
Implementation Status:

not applicable

PS-1: What is the solution and how is it implemented?
PS-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-2: Position Risk Designation

The organization: a. Assigns a risk designation to all organizational positions; b. Establishes screening criteria for individuals filling those positions; and c. Reviews and updates position risk designations [Assignment: organization-defined frequency].

PS-2 Control Response Information
Implementation Status:

not applicable

PS-2: What is the solution and how is it implemented?
PS-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-3: Personnel Screening

The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

PS-3 Control Response Information
Implementation Status:

not applicable

PS-3: What is the solution and how is it implemented?
PS-3(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-3(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-3 (1): Classified Information

“The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.”

PS-3 (1) Control Response Information
Implementation Status:
PS-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-3 (2): Formal Indoctrination

“The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.”

PS-3 (2) Control Response Information
Implementation Status:
PS-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-3 (3): Information With Special Protection Measures

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (3)(a). Have valid access authorizations that are demonstrated by assigned official government duties; and (3)(b). Satisfy [Assignment: organization-defined additional personnel screening criteria].

PS-3 (3) Control Response Information
Implementation Status:
PS-3 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-4: Personnel Termination

The organization, upon termination of individual employment: a. Disables information system access within [Assignment: organization-defined time period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly controlled by terminated individual; and f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

PS-4 Control Response Information
Implementation Status:

not applicable

PS-4: What is the solution and how is it implemented?
PS-4(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-4(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-4(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-4(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-4(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-4(f):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-4 (1): Post-Employment Requirements

The organization: (1)(a). Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (1)(b). Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

PS-4 (1) Control Response Information
Implementation Status:
PS-4 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-4 (2): Automated Notification

“The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual.”

PS-4 (2) Control Response Information
Implementation Status:
PS-4 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-5: Personnel Transfer

The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

PS-5 Control Response Information
Implementation Status:

not applicable

PS-5: What is the solution and how is it implemented?
PS-5(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-5(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-5(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-5(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-6: Access Agreements

The organization: a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access to organizational information and information systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].

PS-6 Control Response Information
Implementation Status:

not applicable

PS-6: What is the solution and how is it implemented?
PS-6(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-6(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-6(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-6 (1): Information Requiring Special Protection

“[Withdrawn: Incorporated into PS-3].”

PS-6 (1) Control Response Information
Implementation Status:
PS-6 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-6 (2): Classified Information Requiring Special Protection

The organization ensures that access to classified information requiring special protection is granted only to individuals who: (2)(a). Have a valid access authorization that is demonstrated by assigned official government duties; (2)(b). Satisfy associated personnel security criteria; and (2)(c). Have read, understood, and signed a nondisclosure agreement.

PS-6 (2) Control Response Information
Implementation Status:
PS-6 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-6 (3): Post-Employment Requirements

The organization: (3)(a). Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (3)(b). Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

PS-6 (3) Control Response Information
Implementation Status:
PS-6 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PS-7: Third-Party Personnel Security

The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; c. Documents personnel security requirements; d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and e. Monitors provider compliance.

PS-7 Control Response Information
Implementation Status:

not applicable

PS-7: What is the solution and how is it implemented?
PS-7(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-7(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-7(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-7(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-7(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PS-8: Personnel Sanctions

The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

PS-8 Control Response Information
Implementation Status:

not applicable

PS-8: What is the solution and how is it implemented?
PS-8(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PS-8(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’