HRS-04.3: Citizenship Requirements
Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.
Control Question: Does the organization verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship?
General (2)
| Framework | Mapping Values |
|---|---|
| NIST 800-53 R5 (source) | PS-3(4) |
| NIST 800-53 R5 (NOC) (source) | PS-3(4) |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia CSCC-1 2019 | 1-5-1-2 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0409 ISM-0411 ISM-0420 ISM-0446 ISM-0447 ISM-1773 |
| APAC New Zealand NZISM 3.6 | 9.2.10.C.01 9.2.10.C.02 9.2.11.C.01 9.2.11.C.02 9.2.15.C.01 9.2.15.C.02 9.2.16.C.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/ or contractual requirements for citizenship.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/ or contractual requirements for citizenship.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/ or contractual requirements for citizenship.
Level 3 — Well Defined
Human Resources Security (HRS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices. o Identifies and implements industry-recognized HR practices related to cybersecurity and data privacy training and awareness to help ensure secure practices are implemented in personnel operations to help manage risk to both technology assets and data. o Manages personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.
- The Human Resources (HR) department:
- Administrative processes require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, for both employees and third-parties.
- HR ensures citizenship requirements are addressed per applicable statutory, regulatory and contractual requirements.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/ or contractual requirements for citizenship.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/ or contractual requirements for citizenship.
Assessment Objectives
- HRS-04.3_A01 information types that are processed, stored or transmitted by a system, application or service that requires individuals accessing the system to meet citizenship requirements are defined.
- HRS-04.3_A02 citizenship requirements to be met by individuals to access a system, application or service processing, storing or transmitting information are defined.
- HRS-04.3_A03 individuals accessing a system, application or service processing, storing or transmitting information types meet citizenship requirements.