Skip to main content

HRS-05.1: Rules of Behavior

HRS 10 — Critical Identify

Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

Control Question: Does the organization define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior?

General (51)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.1
CIS CSC 8.1 9.4
CIS CSC 8.1 IG2 9.4
CIS CSC 8.1 IG3 9.4
COSO 2017 Principle 1
CSA CCM 4 HRS-02
CSA IoT SCF 2 SAP-05
GovRAMP Low PL-04
GovRAMP Low+ PL-04
GovRAMP Moderate PL-04
GovRAMP High PL-04
ISO 27001 2022 (source) 7.3 7.3(a) 7.3(b) 7.3(c)
ISO 27002 2022 5.4 5.10 5.14 6.2
ISO 27017 2015 7.2 7.2.1 8.1.3 13.2.1
ISO 42001 2023 7.3
MPA Content Security Program 5.1 OR-1.1
NIST AI 100-1 (AI RMF) 1.0 GOVERN 2.0 GOVERN 4.1
NIST AI 600-1 GV-6.1-010
NIST 800-53 R4 PL-4
NIST 800-53 R4 (low) PL-4
NIST 800-53 R4 (moderate) PL-4
NIST 800-53 R4 (high) PL-4
NIST 800-53 R5 (source) PL-4
NIST 800-53B R5 (privacy) (source) PL-4
NIST 800-53B R5 (low) (source) PL-4
NIST 800-53B R5 (moderate) (source) PL-4
NIST 800-53B R5 (high) (source) PL-4
NIST 800-82 R3 LOW OT Overlay PL-4
NIST 800-82 R3 MODERATE OT Overlay PL-4
NIST 800-82 R3 HIGH OT Overlay PL-4
NIST 800-161 R1 PL-4
NIST 800-161 R1 C-SCRM Baseline PL-4
NIST 800-161 R1 Level 2 PL-4
NIST 800-161 R1 Level 3 PL-4
NIST 800-171 R2 (source) 3.1.22 NFO-PL-4
NIST 800-171 R3 (source) 03.01.12.a 03.01.18.a 03.01.22.a 03.15.03.a 03.15.03.d
NIST 800-171A R3 (source) A.03.15.03.ODP[01] A.03.15.03.a A.03.15.03.d[01] A.03.15.03.d[02]
NIST CSF 2.0 (source) ID.AM
PCI DSS 4.0.1 (source) 12.1.3 12.2 12.2.1
PCI DSS 4.0.1 SAQ A-EP (source) 12.1.3
PCI DSS 4.0.1 SAQ B (source) 12.1.3
PCI DSS 4.0.1 SAQ B-IP (source) 12.1.3
PCI DSS 4.0.1 SAQ C (source) 12.1.3 12.2.1
PCI DSS 4.0.1 SAQ D Merchant (source) 12.1.3 12.2.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 12.1.3 12.2.1
PCI DSS 4.0.1 SAQ P2PE (source) 12.1.3
TISAX ISA 6 8.2.5 8.2.7
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) HRS-05.1
SCF CORE ESP Level 1 Foundational HRS-05.1
SCF CORE ESP Level 2 Critical Infrastructure HRS-05.1
SCF CORE ESP Level 3 Advanced Threats HRS-05.1
US (34)
Framework Mapping Values
US C2M2 2.1 WORKFORCE-1.E.MIL2
US CERT RMM 1.2 AM:SG1.SP1 HRM:SG2.SP2
US CMMC 2.0 Level 1 (source) AC.L1-B.1.IV
US CMMC 2.0 Level 2 (source) AC.L2-3.1.22
US CMMC 2.0 Level 3 (source) AC.L2-3.1.22
US CMS MARS-E 2.0 PL-4
US DoD Zero Trust Execution Roadmap 4.4.2
US DHS ZTCF HRS-05.1
US FAR 52.204-21 52.204-21(b)(1)(iv)
US FCA CRM 609.930(c)(4)
US FDA 21 CFR Part 11 11.10 11.10(d) 11.10(j)
US FedRAMP R4 PL-4 PL-4(1)
US FedRAMP R4 (low) PL-4
US FedRAMP R4 (moderate) PL-4 PL-4(1)
US FedRAMP R4 (high) PL-4 PL-4(1)
US FedRAMP R4 (LI-SaaS) PL-4
US FedRAMP R5 (source) PL-4 PL-4(1)
US FedRAMP R5 (low) (source) PL-4
US FedRAMP R5 (moderate) (source) PL-4 PL-4(1)
US FedRAMP R5 (high) (source) PL-4 PL-4(1)
US FedRAMP R5 (LI-SaaS) (source) PL-4
US HIPAA Administrative Simplification 2013 (source) 164.310(b)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(b)
US HIPAA HICP Small Practice 10.S.A
US IRS 1075 PL-4
US NISPOM 2020 8-103
US NNPI (unclass) 2.4
US SSA EIESR 8.0 5.10
US - CA CCPA 2025 7122(c)
US - MA 201 CMR 17.00 17.03(2)(b)(2)
US - TX DIR Control Standards 2.0 PL-4
US - TX TX-RAMP Level 1 PL-4
US - TX TX-RAMP Level 2 PL-4
US - VT Act 171 of 2018 2447(b)(2)(B)
EMEA (9)
Framework Mapping Values
EMEA EU NIS2 Annex 12.2.2(b)
EMEA Germany C5 2020 HR-03
EMEA Israel CDMO 1.0 5.1 15.6 19.3 19.6
EMEA Saudi Arabia CSCC-1 2019 2-5
EMEA Saudi Arabia ECC-1 2018 1-9-3-1 1-9-4-2 2-1-3 2-1-4 2-15-3-4
EMEA Saudi Arabia SACS-002 TPC-1 TPC-8 TPC-9
EMEA Spain BOE-A-2022-7191 11.2 11.3
EMEA Spain 311/2022 11.2 11.3
EMEA UK DEFSTAN 05-138 2604
APAC (6)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0820 ISM-0821
APAC Japan APPI 21
APAC Japan ISMAP 4.5.2 4.5.2.8 7.2.1 8.1.3 13.2.1
APAC New Zealand HISF 2022 HSUP01
APAC New Zealand HISF Suppliers 2023 HSUP01
APAC New Zealand NZISM 3.6 3.5.4.C.01 3.5.4.C.02 3.5.4.C.03 5.5.7.C.01 8.1.12.C.01 9.1.8.C.01 9.3.7.C.01 9.3.7.C.02 9.3.7.C.03 9.3.7.C.04 9.3.8.C.01 9.3.8.C.02 9.3.8.C.03 14.3.5.C.01 15.1.7.C.01 21.1.22.C.01 21.1.22.C.02
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.01.12.a 03.01.18.a 03.01.22.a 03.15.03.a 03.15.03.d

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

Level 1 — Performed Informally

Human Resources Security (HRS) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Personnel management is decentralized, with the responsibility for training users and enforcing policies being assigned to the user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.
  • The Human Resources (HR) department provides guidance on HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.
  • Terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior are at the discretion of users’ management.
  • Administrative processes require all employees and contractors to apply cybersecurity and data privacy principles in their daily work.
Level 2 — Planned & Tracked

Human Resources Security (HRS) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

  • Personnel management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for personnel management.
  • The Human Resources (HR) department:
  • The responsibility for training users and enforcing policies being assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.
  • Personnel managers ensure personnel are routinely made aware of the organization's cybersecurity / data privacy policies and provide acknowledgement.
  • Administrative processes require all employees and contractors to apply cybersecurity and data privacy principles in their daily work.
Level 3 — Well Defined

Human Resources Security (HRS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices. o Identifies and implements industry-recognized HR practices related to cybersecurity and data privacy training and awareness to help ensure secure practices are implemented in personnel operations to help manage risk to both technology assets and data. o Manages personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.

  • The Human Resources (HR) department:
  • Administrative processes require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, for both employees and third-parties.
  • Rules of behavior reflect the organization's corporate culture and risk threshold.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

Assessment Objectives

  1. HRS-05.1_A01 rules that describe responsibilities and expected behavior for system usage and protecting sensitive / regulated data are established.
  2. HRS-05.1_A02 before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand and agree to abide by the rules of behavior is received.
  3. HRS-05.1_A03 the frequency at which the rules of behavior are reviewed and updated is defined.
  4. HRS-05.1_A04 the rules of behavior are reviewed / updated per an organization-defined frequency.
  5. HRS-05.1_A05 the frequency for individuals to read and re-acknowledge the rules of behavior is defined.
  6. HRS-05.1_A06 individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge the organization's current rules of behavior.
  7. HRS-05.1_A07 rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.
  8. HRS-05.1_A08 the rules of behavior are reviewed <A.03.15.03.ODP[01]: frequency>.
  9. HRS-05.1_A09 the rules of behavior are updated <A.03.15.03.ODP[01]: frequency>.

Evidence Requirements

E-HRS-22 Rules of Behavior

Documented evidence of personnel management practices to define "acceptable use" or "rules of behavior" criteria that specify acceptable and unacceptable user behaviors.

Human Resources

Technology Recommendations

Micro/Small

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Small

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Medium

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Large

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Enterprise

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free