SA-08(32) Sufficient Documentation
Implement the security design principle of sufficient documentation in sa-08.32_odp.
|sa-08.32_odp||systems or system components|
The principle of sufficient documentation states that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms and the ramifications of the misuse or misconfiguration of security mechanisms are not always intuitively obvious. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities.
Related controls 3
- AT-02 Literacy Training and Awareness L M H P
- AT-03 Role-based Training L M H P
- SA-05 System Documentation L M H P