| Human Resources Security Management | Mechanisms exist to facilitate the implementation of personnel security controls. | |
| Position Categorization | Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions. | |
| Probationary Periods | Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period. | |
| Defined Roles & Responsibilities | Mechanisms exist to define cybersecurity roles & responsibilities for all personnel. | |
| User Awareness | Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment. | |
| Competency Requirements for Security-Related Positions | Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set. | |
| Personnel Screening | Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access. | |
| Roles With Special Protection Measures | Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria. | |
| Formal Indoctrination | Mechanisms exist to formally educate authorized users on proper data handling practices for all the relevant types of data to which they have access. | |
| Terms of Employment | Mechanisms exist to require all employees and contractors to apply cybersecurity & data privacy principles in their daily work. | |
| Rules of Behavior | Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior. | |
| Social Media & Social Networking Restrictions | Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information. | |
| Technology Use Restrictions | Mechanisms exist to establish usage restrictions and implementation guidance for organizational technologies based on the potential to cause damage to systems, if used maliciously. | |
| Use of Critical Technologies | Mechanisms exist to govern usage policies for critical technologies. | |
| Use of Mobile Devices | Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources. | |
| Policy Familiarization & Acknowledgement | Mechanisms exist to ensure personnel receive recurring familiarization with the organization's cybersecurity & data privacy policies and provide acknowledgement. | |
| Access Agreements | Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access. | |
| Confidentiality Agreements | Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties. | |
| Personnel Sanctions | Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures. | |
| Workplace Investigations | Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated. | |
| Personnel Transfer | Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner. | |
| Personnel Termination | Mechanisms exist to govern the termination of individual employment. | |
| Asset Collection | Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment. | |
| High-Risk Terminations | Mechanisms exist to expedite the process of removing "high risk" individual’s access to systems and applications upon termination, as determined by management. | |
| Post-Employment Requirements Notification | Mechanisms exist to govern former employee behavior by formally notifying terminated individuals of their applicable, legally binding post-employment requirements for the protection of sensitive/regulated data. | |
| Third-Party Personnel Security | Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity & data privacy roles and responsibilities. | |
| Separation of Duties (SoD) | Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion. | |
| Incompatible Roles | Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment. | |
| Identify Critical Skills & Gaps | Mechanisms exist to evaluate the critical cybersecurity & data privacy skills needed to support the organization's mission and identify gaps that exist. | |
| Perform Succession Planning | Mechanisms exist to perform succession planning for vital cybersecurity & data privacy roles. | |