Skip to main content

SA-5 Information System Documentation

Description

The University obtains documentation for all acquired information resources, system components, or information system services.

Applicability

The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.

Implementation

1 - The information resource owner, or designee, is responsible for:
- 1.1 - Obtaining administrator documentation for the information resource, system component, or information system service that describes:
  - 1.1.1 - Secure configuration, installation, and operation of the information resource, component, or service;
  - 1.1.2 - Effective use and maintenance of security functions/mechanisms; and
  - 1.1.3 - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
- 1.2 - Obtaining user documentation for the information resource, system component, or information system service that describes:
  - 1.2.1 - Operations of User-accessible security functions/mechanisms;
  - 1.2.2 - Methods for user interaction, which enables individuals to use the information resource, component, or service in a more secure manner; and
  - 1.2.3 - User responsibilities in maintaining the security of the information resource, component, or service.
- 1.3 - Documenting attempts to obtain information resource, system component, or information resource service documentation when such documentation is either unavailable or nonexistent.
- 1.4 - Protecting documentation as required, in accordance with the risk management strategy; and
- 1.5 - Distributing documentation to appropriate information resource custodians and users.

Description
Applicability
Implementation