SA-5 Information System Documentation
Description
The University obtains documentation for all acquired information resources, system components, or information system services.
Applicability
- The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.
Implementation
-
1 - The information resource owner, or designee, is responsible for:
-
1.1 - Obtaining administrator documentation for the information resource, system component, or information system service that describes:
- 1.1.1 - Secure configuration, installation, and operation of the information resource, component, or service;
- 1.1.2 - Effective use and maintenance of security functions/mechanisms; and
- 1.1.3 - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
-
1.2 - Obtaining user documentation for the information resource, system component, or information system service that describes:
- 1.2.1 - Operations of User-accessible security functions/mechanisms;
- 1.2.2 - Methods for user interaction, which enables individuals to use the information resource, component, or service in a more secure manner; and
- 1.2.3 - User responsibilities in maintaining the security of the information resource, component, or service.
-
1.3 - Documenting attempts to obtain information resource, system component, or information resource service documentation when such documentation is either unavailable or nonexistent.
-
1.4 - Protecting documentation as required, in accordance with the risk management strategy; and
-
1.5 - Distributing documentation to appropriate information resource custodians and users.
-