Requirement:
The personnel cybersecurity requirements prior to employment must include at least the following:
Sub-Controls:
1-9-3-1:
Requirement:
Inclusion of personnel cybersecurity responsibilities and non-disclosure clauses (covering the cybersecurity requirements during employment and after termination/separation) in employment contracts.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Work with relevant departments to include cybersecurity responsibilities and non-disclosure clauses in the contracts of employees in the organization (to cover the periods during and after the end/termination of the job relationship with the organization)
- Include such requirements in the organization's HR procedures to ensure compliance with cybersecurity requirements for all internal and external stakeholders
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Organization personnel contract forms (signed copy)
- Cybersecurity Function Personnel Contract Forms (signed copy)
1-9-3-2:
Requirement:
Screening or vetting candidates of cybersecurity and critical/privileged positions
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Work with relevant departments to ensure Screening or Vetting of all employees in cybersecurity functions
- Work with relevant departments to ensure the Screening or Vetting of all employees working in technical functions with privileged access, including database management personnel, firewall management personnel, and systems management personnel
- Include such requirements in the organization's HR procedures to ensure compliance with cybersecurity requirements for all internal and external stakeholders
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Evidence that the Screening or Vetting of employees working in cybersecurity functions and technical functions with privileged access was performed, including but not limited to
- An official document from the relevant authorities indicating the performance of Screening or Vetting
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.