Bixal Solutions [employment](https://Bixal Solutions-handbook.readthedocs.io/en/latest/03-policies/employment/) includes background checks, agreement to a Conflict of Interest Plan @todo link, and may cover one or more controls listed in these families:
- Awareness and Training (AT)
- Configuration Management (CM)
- Contingency Planning (CP)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Personnel Security (PS)
- System and Information Integrity (SI)
Reduce the risk of insider threats or internal conspiracies to circumvent the confidentiality, integrity, or availability of information systems. Sanction individuals found violating Bixal Solutions policies, procedures, or taking any other action that knowingly violates the confidentiality, integrity, or availability of information systems.
See the Bixal Solutions Common Control Policy.
For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the Bixal Solutions Common Control Policy.
For personnel categorization, position risk designation is assigned by Bixal Solutions management. Risk designations are re-categorized whenever responsibilities change or when the impact level of the system or the information in it changes.
See PS-2, PS-3.
Review of ongoing operational need for current logical access by individuals are initiated and facilitated by the System Owner and Project Manager. The System Owner or Project Manager modifies permissions granted to individuals to correspond any changes in the individual requirements.
See PS-5.
Bixal Solutions enforces the same requirements on contractors that it does on staff, and contractors follow all normal procedures for onboarding and gaining access to client systems.
See PS-7.
The Director of Human Resources is responsible for determining and enforcing sanctions for failing to comply with established information security policies and procedures. Coaching may be considered prior to sanctions. Sanctions may include but are not limited to written warnings, reduction in system access, demotion, or termination.
See PS-8 and PS-4.