PS-9—Position Descriptions
LI-SaaS
Low
Moderate
High
>Control Description
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the protection of organizational information accessed by personnel during and after employment?
- •How does the organization define and communicate information protection requirements during termination?
- •Who is responsible for ensuring personnel understand post-employment information protection obligations?
- •What process exists for obtaining commitments from departing personnel regarding continued protection of information?
- •What governance exists for enforcing post-employment information protection requirements?
Technical Implementation:
- •What systems track post-employment information protection obligations?
- •How are departing personnel commitments captured and stored?
- •What technical controls enforce information protection during off-boarding?
Evidence & Documentation:
- •Provide information protection policies applicable during and after employment.
- •Provide non-disclosure agreements or similar commitments from personnel.
- •Provide exit interview records addressing information protection obligations.
- •Provide evidence of departing personnel acknowledgment of ongoing obligations.
- •Provide documentation of post-employment information protection enforcement.
Ask AI
Configure your API key to use AI features.