Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
1. Purpose
Ensure the establishment and implementation of physical access security controls to protect District information systems and facilities from unauthorized physical access, tampering, theft, and physical damage per the OCTO Access Control Policy.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District Workforce members performing official functions on behalf of the District Government, or any District agency entity (e.g., subordinate, and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, information system and networks.
4. Policy
All the District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards.
The District Government's agencies must develop and review or update at least every 3 years and after change to the policy, a procedure in support of this policy with the following requirements.
4.1. Position Risk Designation
District agencies must:
4.1.1. Assign a risk designation to all District positions.
4.1.2. Incorporate security roles and responsibilities into organizational position descriptions.
4.1.3. Establish screening criteria for individuals filling those positions.
4.1.4. Review and update the assigned risk designation if needed.
4.2. Personnel Screening
District agencies must:
4.2.1. Screen individuals before authorizing access to the agency's information system.
4.2.2. Rescreen District Workforce members with access to the District’s information system annually or according to agencies’ defined conditions and frequency.
4.3. Personnel Separation
District agencies must, upon an individual’s separation from the District workforce:
4.3.1. Disable user’s information system access on the employee’s last workday.
4.3.2. Disable any authenticators/credentials associated with the individual.
4.3.3. Conduct exit interviews to ensure that includes a discussion of all items contained in agencies separation checklist.
4.3.4. Retrieve all the agency’s property.
4.3.5. Ensure that appropriate personnel retain access to data stored on a departing employee’s information system.
4.3.6. Notify agencies’ Service Desk within twenty-four (24) hours of separation notification.
4.4. Personnel Transfer
District agencies must:
4.4.1. Ensure that logical and physical access authorizations to information systems and facilities are reviewed when personnel is reassigned or transferred to other positions within the agency.
4.4.2. Initiate transfer or reassignment actions within twenty-four (24) hours of transfer determination.
4.4.3. Change system access authorizations for transferred personnel.
4.4.4. Notify the agency’s Human Resources within (24) hours of transfer notification.
4.5. Access Agreements
District agencies must:
4.5.1. Develop and document access agreements for organizational information systems.
4.5.2. Review and update the access agreements annually.
4.5.3. Ensure that individuals requiring access to agencies information and information systems:
- Sign appropriate access agreements before being granted access.
- Re-sign access agreements to maintain access to agency information and information systems when access agreements have been updated or at least annually.
4.6. Third-Party Personnel Security
District agencies must:
4.6.1. Establish personnel security requirements including security roles and responsibilities for third-party providers.
4.6.2. Document personnel security requirements and monitor provider compliance.
4.6.3. Define the transfers and separations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred.
4.6.4. Monitor third-party provider compliance.
4.7. Personnel Sanctions
District agencies must:
4.7.1. Employ a formal sanctions process for individuals failing to comply with established information security policies and procedures.
4.7.2. Notify the agency Human Resources Department within 24 hours when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.