| TITLE: Information Security - Data Protection | ID: |
| ORIGINATOR: Information Security Office | DATE: April 20, 2009 |
| REVIEWED: President's Council | DATE: January 26, 2011 |
| APPROVED: Raymond S. Greenberg, MD, PhD | DATE: January 26, 2011 |
| IMPLEMENTATION: Enterprise-wide | DATE: January 26, 2011 |
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
Information in electronic form that is classified as MUSC Restricted or MUSC Protected shall, to the extent possible, be stored only in appropriately protected repositories within formally established and authorized information systems, and shall not be stored in end-user computing, storage, or communication devices (including but not limited to: desktop computers, laptops, tablets, PDAs, thumb drives, memory cards, or communication devices such as cell phones or smart phones).
In exceptional circumstances, there may be an unavoidable business requirement to store MUSC Protected information on an end-user device. In these circumstances, the Administrators, Users and Custodians of the device shall meet the baseline data protection requirements outlined in this policy.
The amount of MUSC Protected information stored on an end-user device shall be minimized at all times. The number of locations within the device where the MUSC Protected information is stored should be minimized, and the MUSC Protected information should be securely removed (purged) from the device as soon as it is no longer needed.
A complete and accurate inventory of the MUSC Protected information that is stored on an end-user device shall be maintained, and stored independently of the device. The inventory should be kept in sufficient detail to permit MUSC's incident response team to identify the specific records that are at risk of unauthorized disclosure if the device is lost or stolen, or otherwise breached.
Any MUSC Protected information that is stored on an end-user device shall be be stored only in an approved encrypted format. Encryption algorithms and procedures for storing MUSC Protected information must be approved by the Information Security Office.
End-user devices containing MUSC Protected information shall be kept physically secure by the User or Custodian who is responsible for the device. In particular, these devices should not be left unattended in any location where theft is a reasonably anticipated and avoidable risk.
If an end-user device containing MUSC Protected information is lost or stolen, the User or Custodian who is responsible for the device shall immediately report the incident. See Incident Reporting Procedure.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.