Skip to main content

SA-5 Information System Documentation

Description

The University obtains documentation for all acquired information resources, system components, or information system services.

Applicability

  • The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.

Implementation

  • 1 - The information resource owner, or designee, is responsible for:

    • 1.1 - Obtaining administrator documentation for the information resource, system component, or information system service that describes:

      • 1.1.1 - Secure configuration, installation, and operation of the information resource, component, or service;
      • 1.1.2 - Effective use and maintenance of security functions/mechanisms; and
      • 1.1.3 - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
    • 1.2 - Obtaining user documentation for the information resource, system component, or information system service that describes:

      • 1.2.1 - Operations of User-accessible security functions/mechanisms;
      • 1.2.2 - Methods for user interaction, which enables individuals to use the information resource, component, or service in a more secure manner; and
      • 1.2.3 - User responsibilities in maintaining the security of the information resource, component, or service.
    • 1.3 - Documenting attempts to obtain information resource, system component, or information resource service documentation when such documentation is either unavailable or nonexistent.

    • 1.4 - Protecting documentation as required, in accordance with the risk management strategy; and

    • 1.5 - Distributing documentation to appropriate information resource custodians and users.