Organizations should develop, document, and implement policies and procedures for the selection, orientation, and supervision of employees and contractors who have access to IT resources. The objective is to ensure that a high level of integrity and satisfactory staff conduct is achieved and maintained, and to promote an awareness of security matters. The following are to be included:

• Reference checks and background investigations where appropriate.

• Security awareness training, at hire and annually.

• IT Security support staff technical training.

• Sanctions for security violations.

• Processes for employees or contractors when separating from service.

• Appropriate language in all vendor contracts regarding security requirements.

• Physical Security Standards

Organizations should be responsible for assuring that adequate physical security protections are implemented to maintain the availability, confidentiality and integrity of the agency’s computer systems.  Investments in physical security shall be commensurate with the risks, threats, and vulnerabilities unique to each individual site and location.

Each site should develop, document, and implement policies and procedures for the following:

• Location and layout of the facility.

• Physical security attributes for computer or telecommunications rooms (if applicable).

• Facility access control.

• Physical data storage and telecommunications controls.

• Off-site media storage.

Physical security controls for mobile/remote computing.

Laptops and Personal Digital Assistants (PDAs).

• Portable data storage devices (e.g., tape drives, zip drives, removable hard drives, USB data storage devices).

www.bestitdocuments.com