Description

The University obtains documentation for all acquired information resources, system components, or information system services.

Applicability

  • The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.

Implementation

  • 1

    The information resource owner, or designee, is responsible for:

    • 1.1

      Obtaining administrator documentation for the information resource, system component, or information system service that describes:

      • 1.1.1

        Secure configuration, installation, and operation of the information resource, component, or service;

      • 1.1.2

        Effective use and maintenance of security functions/mechanisms; and

      • 1.1.3

        Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.

    • 1.2

      Obtaining user documentation for the information resource, system component, or information system service that describes:

      • 1.2.1

        Operations of User-accessible security functions/mechanisms;

      • 1.2.2

        Methods for user interaction, which enables individuals to use the information resource, component, or service in a more secure manner; and

      • 1.2.3

        User responsibilities in maintaining the security of the information resource, component, or service.

    • 1.3

      Documenting attempts to obtain information resource, system component, or information resource service documentation when such documentation is either unavailable or nonexistent.

    • 1.4

      Protecting documentation as required, in accordance with the risk management strategy; and

    • 1.5

      Distributing documentation to appropriate information resource custodians and users.