NIST 800-53R5 Governance, Risk and Compliance (GRC). NIST 800-53 Procedure Review and Assessment.

NIST 800-53 is a publication by the National Institute of Standards and Technology that provides guidelines for federal agencies and organizations to secure their information systems and data. The publication outlines security controls and procedures that organizations can use to manage their information security risks.

The procedures outlined in NIST 800-53 are designed to help organizations identify, assess, and manage their information security risks. The procedures are broken down into the following steps:

Categorize information systems: This step involves identifying the information systems that need to be secured and determining the impact to the organization if those systems were to be compromised.

Select security controls: Once the information systems have been categorized, the next step is to select the appropriate security controls to protect those systems. NIST 800-53 provides a catalog of security controls that organizations can choose from.

Implement security controls: After the security controls have been selected, they must be implemented within the information systems.

Assess security controls: Once the security controls have been implemented, they must be assessed to ensure that they are working effectively and providing the desired level of protection.

Authorize information systems: Once the security controls have been assessed and found to be effective, the information systems can be authorized for operation.

Monitor security controls: Finally, the security controls must be monitored on an ongoing basis to ensure that they continue to provide the necessary level of protection.

Overall, the procedures outlined in NIST 800-53 provide a comprehensive framework for managing information security risks. By following these procedures, organizations can improve their overall security posture and better protect their sensitive information and systems.

NIST 800-53 does not provide specific on-boarding procedures, as it is focused on information security controls and procedures for managing risks within an organization's information systems. However, there are a few general steps that organizations can follow to ensure that new employees or contractors are appropriately onboarded and given access to the necessary information systems and data.

Pre-screening: Before an individual is hired or contracted, organizations should conduct a pre-screening process that includes background checks, references, and any other relevant screenings or verifications.

Identify access needs: Once an individual has been hired or contracted, organizations should identify the access needs for that individual based on their job responsibilities and duties. This includes identifying the information systems and data that the individual will need to access in order to perform their job.

Grant access: Organizations should grant access to the necessary information systems and data based on the individual's identified access needs. Access should be granted on a least-privilege basis, meaning that the individual should only be given access to the specific information systems and data necessary to perform their job.

Security awareness training: Organizations should provide security awareness training to all new employees and contractors to ensure that they understand their responsibilities for protecting sensitive information and data.

Ongoing monitoring: Organizations should monitor employee and contractor access to information systems and data on an ongoing basis to ensure that they are only accessing the necessary information and that there are no unauthorized access attempts.

Overall, the on-boarding process for new employees and contractors should be designed to ensure that they are given appropriate access to information systems and data, while also protecting the organization's sensitive information and data from unauthorized access or misuse.