Approved Date – 09/30/2011
Published Date – 09/30/2011
Revised Date – 05/25/2021
1. Purpose
This policy ensures the establishment and implementation of physical access security controls to protect District information systems and facilities from unauthorized physical access, tampering, theft, and physical damage per the OCTO Access Control Policy.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District Workforce members performing official functions on behalf of the District, or any District agency entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from t OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
4. Policy
The following subsections outline the Personnel Security standards that constitute the District’s policy. All District agencies under the authority of the Mayor of the District are bound to this policy and must develop or adhere to a program plan which demonstrates compliance with the policy.
4.1. Position Risk Designation
District agencies must:
4.1.1 Assign a risk designation to all District positions.
4.1.2 Establish screening criteria for individuals filling those positions.
4.1.3 Review and update the assigned risk designation if needed.
4.2. Personnel Screening
District agencies must:
4.2.1 Screen individuals before authorizing access to the agency's information system.
4.2.2 Rescreen District Workforce members with access to the District’s information system annually or according to agencies' defined conditions and frequency.
4.3. Personnel Separation
District agencies must, upon an individual’s separation from the District workforce:
4.3.1 Disable user’s information system access on the employee’s last workday.
4.3.2 Disable any authenticators/credentials associated with the individual.
4.3.3 Conduct exit interviews to ensure that includes a discussion of all items contained in agencies separation checklist.
4.3.4 Retrieve all the agency’s property.
4.3.5 Ensure that appropriate personnel retains access to data stored on a departing employee’s information system.
4.3.6 Notify agencies’ Service Desk within twenty-four (24) hours of separation notification.
4.4. Personnel Transfer
District agencies must:
4.4.1 Ensure that logical and physical access authorizations to information systems and facilities are reviewed when personnel is reassigned or transferred to other positions within the agency.
4.4.2 Initiate transfer or reassignment actions within twenty-four (24) hours of transfer determination.
4.4.3 Change system access authorizations for transferred personnel.
4.4.4 Notify the agency’s Human Resources within (24) hours of transfer notification.
4.5. Access Agreements
District agencies must:
4.5.1 Develop and document access agreements for organizational information systems.
4.5.2 Review and updates the access agreements annually.
4.5.3 Ensure that individuals requiring access to agencies information and information systems:
4.5.3.1 Sign appropriate access agreements before being granted access.
4.5.3.2 Re-sign access agreements to maintain access to agency information and information systems when access agreements have been updated or at least annually.
4.6. Third-Party Personnel Security
District agencies must:
4.6.1 Establish personnel security requirements including security roles and responsibilities for third-party providers.
4.6.2 Document personnel security requirements and monitor provider compliance.
4.6.3 Define the transfers and separations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred.
4.6.4 Monitor third-party provider compliance.
4.7. Personnel Sanctions
District agencies must:
4.7.1 Employ a formal sanctions process for individuals failing to comply with established information security policies and procedures.
4.7.2 Notify the agency Human Resources Department within 24 hours when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.