| TITLE: Information Security | ID: |
| ORIGINATOR: Information Security Office | DATE: Jan 23, 2009 |
| REVIEWED: President's Council | DATE: Jul 29, 2009 |
| APPROVED: Raymond S. Greenberg, MD, PhD | DATE: Jul 29, 2009 |
| IMPLEMENTATION: Enterprise-wide | DATE: July 29, 2009 |
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
If an MUSC workstation or other system contains (or has ever contained) protected information, then the designated Owner of the system is responsible for ensuring that the device and media controls that govern the receipt, movement, and disposal of the system's hardware and electronic media are sufficient to meet all legal, ethical and business requirements.
Prior to disposal or surplus, all electronic media, regardless of whether they are believed to contain (or to have contained) protected information, must be sanitized (purged or cleared of all data) by an individual who has been certified in accordance with the MUSC Device and Media Disposal Procedures.
Please refer to MUSC Policy: Information Security: Appendix A.
The system's device and media controls must govern the disposal and re-use of hardware or media that may contain protected information, and should ensure accountability for any workforce member who moves the system's hardware or media. Controls should also ensure that hardware or media containing protected information is not moved unless a backup copy of the information exists.
The specific media controls used with a system should be guided by the system's Risk Assessment. The System Owner must ensure that appropriate System-specific procedures are created, documented, and followed.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.