| TITLE: Information Security | ID: |
| ORIGINATOR: Information Security Office | DATE: Jan 5, 2005 |
| REVIEWED: President's Council | DATE: Feb 16, 2005 |
| APPROVED: Raymond S. Greenberg, MD, PhD | DATE: Feb 16, 2005 |
| IMPLEMENTATION: Enterprise-wide | DATE: Feb 16, 2005 |
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
A contingency plan should be developed and maintained for each MUSC information system. The plan should include policies and procedures for handling disasters and other types of emergencies that might disrupt the operation of the system and/or interrupt access to its information by authorized users.
The designated Owner of each MUSC information system is required to develop and maintain a contingency plan for the system. The depth and breadth of the contingency plan, and the degree of detail and testing required, should be determined by on-going risk assessments, by business continuity requirements (including applications and data criticality analysis), and by legal and regulatory requirements.
Contingency plans should encompass backup procedures, restoration and recovery procedures, and emergency mode operations procedures. Contingency plans should be periodically tested, and should be revised as needed in response to environmental, operational, policy or regulatory changes.
Designated System Owners should coordinate the development of their contingency plans with their Entity IACOs, who should ensure that the procedures documented in these plans are available to the persons responsible for their implementation.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.