3.10 PS
501 paragraphs across nine sections. Here is the structure and the design decisions that distinguish this page from generic HR policy documentation.
Document structure
The PS family has the smallest control count in NIST 800-171 — two controls — but generates one of the most operationally complex compliance obligations because it spans HR, IT Operations, Legal, and (for DEFSTAN contracts) a government vetting authority. The document is structured to serve multiple audiences: HR owns Section 3 (screening matrix) and Section 4 (leaver checklist); IT Operations owns the IT Operations section of Section 4; the CISO owns oversight of both. The SCM variant note explicitly grants HR read access to the relevant sections rather than the standard security-team-only access.
Section 3 (screening matrix) is the most significant table in the document. It covers 12 role categories from general staff with no CUI access through to DEFSTAN OFFICIAL-SENSITIVE roles requiring SC clearance. The matrix uses colour coding: purple shading for SC-required rows, teal for BPSS-minimum rows, and gray for identity-only rows. This makes it immediately clear to HR which roles require which level of vetting, without requiring HR to read the full control implementation text.
Section 4 (leaver de-provisioning checklist) is a three-part operational document that assessors use directly. It is structured as a literal checklist — three tables (HR responsibilities, IT Operations responsibilities, CISO responsibilities) — each with a status column showing "Done / N/A" and a notes column with blank lines for timestamps. An assessor who samples leaver records should be able to pick up EV-D04 for any departed employee and follow every step to closure. The IT Operations section includes the anomaly review step (SIEM review of the past 30 days before access revocation) before the account disable step — this ordering is deliberate. Reviewing the audit log after the account is disabled is forensically valid but harder — reviewing it immediately before is more operationally clean.
Section 5 (NDA framework) covers the five lifecycle touchpoints where NDA-related documents are signed and filed, from pre-interview through departure. Most organisations track the employment contract but miss the pre-interview NDA and the departure NDA confirmation as separate evidence items. EV-B09 (departure NDA confirmation) is often the evidence item that is absent in assessments — the departure acknowledgement was verbal, or it was combined with the leaver checklist signature without creating a distinct enforceable document.
BPSS vs SC clearance — the distinction that matters for DEFSTAN
The two call-out boxes in Section 3 explain BPSS and SC clearance in plain operational terms. The critical distinction is that BPSS is not a national security clearance — it can be conducted by HR using approved processes or by a commercial UKAS-accredited screening provider. SC clearance is conducted by UKSV (UK Security Vetting, part of HMGCC) and requires government sponsorship. An organisation cannot independently initiate SC clearance for its staff — it must be sponsored through the government department or defence prime that is the contracting authority.
The practical implication for common finding four (SC required but only BPSS conducted) is that the remediation timeline is not within the organisation's control. Once the screening requirement is identified, the organisation must approach the contracting authority for sponsorship, submit the vetting questionnaire, and wait for UKSV — a process that takes 4–12 weeks on average and may be longer for more complex cases. This is why the screening matrix must be reviewed immediately on contract award rather than at the annual review cycle.
The leaver checklist timing architecture
The most operationally critical design decision in Section 4 is the timing sequencing within the IT Operations section. The SIEM anomaly review step is listed as a step that must be done before the account is disabled, not after. This sequence is not arbitrary.
When an account is disabled, Entra ID begins signing the account out of active sessions within minutes. The account's audit trail in Entra ID remains available, but active session context is lost. More importantly, reviewing the audit log while the account is still active allows IT Operations to see what is happening in real time (if an active download is in progress, it can be intercepted). If the anomaly review is done after disable, the window for active intervention has closed.
The standard is: HR notifies IT on resignation acceptance; IT runs the SIEM 30-day lookback immediately; IT reports findings to CISO if any anomalies are found; the CISO decides whether immediate access revocation or enhanced monitoring during the notice period is appropriate; the formal account disable happens on or before the final working day. This sequence converts the leaver process from a single-day administrative task into a structured risk management activity that begins from the moment of notification.
The Friday afternoon problem — common finding two
Finding two in Section 8 documents the most predictable failure in leaver de-provisioning: a voluntary resignation is accepted on Thursday; the final working day is the following Friday; IT Operations processes the account on Monday morning; the individual had 60 hours of valid access after their employment ended.
The fix is operational rather than procedural — the checklist already says "same day." The issue is that IT Operations is not always reachable late on a Friday afternoon, and the HR notification sometimes arrives after the end of the IT working day. The solution is a lightweight automated trigger: when HR updates the HR system to set a departure date, an automated task in the ITSM platform creates an IT Operations ticket assigned to the on-call engineer with a due date of the departure date. The ITSM task contains the leaver checklist. The on-call engineer sees it when they check their task queue on Friday morning.
For involuntary terminations, the briefing must happen before the termination conversation, not after. IT Operations should receive the instruction ("be ready to disable account X at 14:30 today") as part of the termination planning, not as a call received after the individual has left the building.
Cross-linking in Confluence
The AT-PS page connects to five other family pages more closely than most. Link to AT-AC (the JML process that implements 3.9.1's access gate — the provisioning record in EV-D03 must show that screening was complete before the account creation date). Link to AT-AT (the annual security awareness training completion in EV-B05 serves as an annual re-acknowledgement of information handling obligations — it connects the personnel security obligation to the ongoing training programme). Link to AT-IA (the 90-day account retention before deletion documented in AT-IA 3.5.9 is the post-departure identifier reuse control — AT-PS 3.9.2 requires CUI protection after departure and AT-IA 3.5.9 provides the timeline for the account lifecycle). Link to AT-MA (the maintenance personnel register in AT-MA must be updated when a staff member departs — the leaver checklist IT Operations section includes this step). And link to the HR Security Policy — AT-PS is the technical implementation of what that policy document governs.
Updated library status
Thirteen of the fourteen family pages are now complete:
| Page | Controls | Status |
|---|---|---|
| AT-AC · Access Control | 22 | Complete |
| AT-AT · Awareness and Training | 3 | Complete |
| AT-AU · Audit and Accountability | 9 | Complete |
| AT-CM · Configuration Management | 9 | Complete |
| AT-IA · Identification and Authentication | 11 | Complete |
| AT-IR · Incident Response | 3 | Complete |
| AT-MA · Maintenance | 6 | Complete |
| AT-MP · Media Protection | 9 | Complete |
| AT-PE · Physical Protection | 6 | Complete |
| AT-PS · Personnel Security | 2 | Complete |
| AT-SC · System and Comms Protection | 16 | Complete |
| AT-SI · System and Info Integrity | 7 | Complete |
One family remains: AT-RA (Risk Assessment, 3 controls — the risk assessment methodology, vulnerability scanning programme, and remediation tracking). After AT-RA, the final deliverable is AT-CA (Security Assessment, 4 controls — the SSP master document, POA&M process, internal audit programme, and continuous monitoring — the keystone document that cross-references every completed family page).