Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
PL-4
Rules of behavior
The organization establishes and
makes readily available to all
information system users a set of
rules that describes their
responsibilities and expected
behavior with regard to
information and information
system usage. The organization
receives signed acknowledgment
from users indicating that they
have read, understand, and agree
to abide by the rules of behavior,
before authorizing access to the
information system and its
resident information.
PL-5
Privacy impact
assessment
The organization conducts a
privacy impact assessment on the
information system in accordance
with OMB policy.
PL-6
Security-related
activity planning
The organization plans and
coordinates security-related
activities affecting the information
system before conducting such
activities to reduce the impact on
organizational operations (i.e.,
mission, functions, image, and
reputation), organizational assets,
and individuals.
pS
personnel Security
PS-1
Personnel security
policy and
procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented personnel security
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the personnel security policy and
associated personnel security
controls.
