PS-4 - Personnel Termination
Control requirements
PS-4 (a)
Upon termination of individual employment: Disable system access within [IBM Assignment: same day].
PS-4 (b)
Upon termination of individual employment: Terminate or revoke any authenticators and credentials associated with the individual.
PS-4 (c)
Upon termination of individual employment: Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics].
PS-4 (d)
Upon termination of individual employment: Retrieve all security-related organizational system-related property.
PS-4 (e)
Upon termination of individual employment: Retain access to organizational information and systems formerly controlled by terminated individual.
Additional IBM Cloud for Financial Services specifications
The organization, upon termination of individual employment, must notify organization-defined personnel or roles the same day.
NIST supplemental guidance
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.