SA-8(28): Acceptable Security

CSF v1.1 References:


(Not part of any baseline)

Info icon.

Control is new to this version of the control set.

Control Statement

Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].

Supplemental Guidance

The principle of acceptable security requires that the level of privacy and performance that the system provides is consistent with the users' expectations. The perception of personal privacy may affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the system design, users should be able to restrict their actions to protect their privacy. When systems fail to provide intuitive interfaces or meet privacy and performance expectations, users may either choose to completely avoid the system or use it in ways that may be inefficient or even insecure.