MUSC Policy: Information Security

TITLE: Information Security	ID:
ORIGINATOR: Information Security Office	DATE: Jan 5, 2005
REVIEWED: President's Council	DATE: Feb 16, 2005
APPROVED: Raymond S. Greenberg, MD, PhD	DATE: Feb 16, 2005
IMPLEMENTATION: Enterprise-wide	DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance: HIPAA Security: 164.308(a)(1) Security Management Process HIPAA Security: 164.308(a)(2) Assigned Security Responsibility HIPAA Security: 164.308(a)(8) Evaluation FTC Safeguards Rule: 314.3(a) FTC Safeguards Rule: 314.3(b) FTC Safeguards Rule: 314.4(a) FTC Safeguards Rule: 314.4(b)

2. POLICY

MUSC's information is an important asset. Appropriate safeguards are required to protect MUSC's information assets against reasonably anticipated threats to their availability, integrity, and confidentiality. All faculty, students and staff share in the responsibility for the protection of all of MUSC's information assets. The protection of each of MUSC's information resources must be based upon sound risk management principles, to ensure that protective measures are reasonable and appropriate, and are commensurate with the value, sensitivity, and criticality of the resource. In addition, protective measures must meet all applicable regulatory and legal requirements. This policy applies across all the entities that comprise the MUSC Enterprise. It applies to all information resources, whether on campus or accessed from remote locations. These resources include all information, data, computers, computer systems, and networks, that are acquired, developed, or maintained in direct or indirect support of MUSC's mission.

3. PROCEDURES

3.1. Definitions

Please refer to Appendix A.

3.2. Assigned Responsibilities

3.2.1. Office of the Chief Information Officer (OCIO)

The Office of the CIO (OCIO) for the MUSC Enterprise will designate an Enterprise Information Security Officer (ISO), to whom the following responsibilities are assigned:

Documenting MUSC's Enterprise-level information security architecture, strategy and plans.
Coordinating the development of Enterprise-level information security policies, standards and guidelines.
Directing MUSC's Computer Security Incident Response Team (CSIRT).
Developing and deploying Enterprise-level information security safeguards, such as network access control services, that help protect information assets across the MUSC Enterprise.
Developing and deploying common (shared) tools, instruments, and services, as needed to assist MUSC's IACOs, System Owners, and System Administrators in meeting their assigned information security responsibilities.
Assisting IACOs and System Owners with information security risk assessments that involve Information Technology (IT) Infrastructure components.
Conducting Enterprise-level vulnerability assessments.

3.2.2. Information Assurance Compliance Officers (IACO)

Each legally distinct Entity within the MUSC Enterprise must designate an individual to serve in the role of Information Assurance Compliance Officer (IACO). The University, the Medical Center, and University Medical Associates are examples of entities that must designate IACOs.

Each Entity IACO has the following responsibilities:

Monitoring the compliance of all Entity personnel, with all MUSC Enterprise security policies, all Entity security policies, and all regulatory and legal requirements.
Documenting any information security policy violation involving a Workforce Member of the Entity, and reporting the violation to the appropriate enforcement authority. (See Sanctions.)
Ensuring that Entity Workforce Members have access to documentation and training on all MUSC Enterprise security policies and all Entity security policies, and are aware of their specific, assigned security responsibilities.
Coordinating the development of Entity-level security policies, standards and guidelines, as needed to augment Enterprise policies, standards and guidelines.

3.2.3. System Owners

Each Information System that is implemented and used within the MUSC Enterprise must have a designated Owner. The Owner of an Information System is responsible for:

Ensuring that accurate and thorough risk assessments are conducted and documented at appropriate points in the lifecycle of the System, beginning prior to the System's implementation, and that the findings are applied to the effective management of risks over the entire life of the System.
Ensuring that appropriate System-specific policies, procedures and safeguards are developed and implemented, to comply with all applicable MUSC policies, any applicable Entity policies, and all applicable laws and regulations.
Designating a System Administrator for the System.

3.2.4. System Administators

The Owner of each Information System within the MUSC Enterprise must designate a System Administrator, who is responsible for:

Ensuring that documentation and training on all System-specific information security policies, procedures, and assigned security responsibilities, are available to all Users of the System.
Ensuring that appropriate records of system activity are maintained and made available for review by the appropriate personnel.
Executing appropriate incident response procedures, in collaboration with the ISO and appropriate IACO(s), in the event of a security incident involving the System.

3.2.5. Information System Users

All faculty, students and staff across the MUSC Enterprise are responsible for:

Understanding and meeting all of the security responsibilities assigned to them by MUSC's Enterprise information security policies, including the MUSC Computer Use Policy.
Understanding and meeting any additional security responsibilities assigned by the MUSC Entit(ies) where they are a workforce member.
For each Information System that they use, understanding and meeting all of their assigned, System-specific security responsibilities.

3.3. Sanctions

Any employee of any Entity within the MUSC Enterprise who violates an information security policy is subject to disciplinary action, as specified in the Human Resource policies and procedures for the Entity. Any MUSC faculty member who violates an information security policy is subject to disciplinary action, following the procedures specified in the MUSC Faculty Handbook. Any MUSC student who violates an information security policy is subject to disciplinary action, following the procedures specified in the MUSC Bulletin.

3.4. See Also

MUSC Computer Use Policy
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Evaluation
MUSC Policy: Information Security - Workforce Security
MUSC Policy: Information Security - Awareness and Training
MUSC Policy: Information Security - Incident Response
MUSC Policy: Information Security - Contingency Plan
MUSC Policy: Information Security - Workstation Use
MUSC Policy: Information Security - Device and Media Controls
MUSC Policy: Information Security - Access Control
MUSC Policy: Information Security - Network Access
MUSC Policy: Information Security - Audit Controls
MUSC Policy: Information Security - Person or Entity Authentication
MUSC Policy: Information Security - Data Integrity
MUSC Policy: Information Security - Encryption
MUSC Policy: Information Security - Documentation

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.

Appendix A: Definitions

Access Control: 1. Security procedures implemented to control the ability of persons or other agents to physically and/or logically access or interact with information systems, services, or other assets. 2. The process of limiting access to resources, to authorized users, programs, processes, or other networks.

Audit Control: Security procedures for recording and examining system activity to verify compliance with security policy. These procedures typically include hardware, software, and procedural elements.

Authentication: 1. Corroboration that a person is the one claimed. 2. A security measure intended to establish the validity of a message or its originator.

Authorization: A permission to access or operate upon an information resource in a defined manner, or the act of granting such a permission.

Authorizer: Someone permitted by the System Owner to authorize system access requests.

Compliance: Obedience to an applicable law, regulation, policy, or standard of conduct.

Computer Security Incident Response Team (CSIRT): The organizational unit responsible for coordinating the response to an information security incident. The role of MUSC's CSIRT is defined in the Incident Response policy.

Contingency Plan: A set of procedures, policies and record keeping activities intended to ensure that information systems and their data are recoverable in the event of major system failure or disaster, and to safeguard the continuity of mission critical business operations during such events.

Data Custodian: Someone with an operational management role over a repository.

Incident: See Information Security Incident.

Information Security: 1. The result of the continuous meeting or surpassing of a set of objectives that address information availability, confidentiality, and itegrity. 2. Reliability of an information system in spite of attacks, accidents, and errors.

Information Security Incident: A violation, or an imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices. Examples of type of incidents include: denial of service, malicious software, unauthorized access, and inappropriate use of resources.

Information Assurance Compliance Officer: The person responsible for monitoring and enforcing compliance by an organization's workforce with the organization's information security policies. The responsibilities of Information Assurance Compliance Officers at MUSC are outlined here.

Information System: 1. A human and technical infrastructure for the storage, processing, transmission, input and output of information. 2. A set of components, used together to accomplish a specific function, or a set of related functions. Components may include computer hardware, software, operational procedures for data entry/update/import, query/reporting/export, and other manual or automated operational procedures.

Information System Owner: An individual or group responsible for critical decisions regarding an information system's use or function, including discontinuation of the system. The responsibilities of System Owners at MUSC are outlined here.

Information Technology (IT) Infrastructure: MUSC's IT infrastructure consists of those shared (community) resouces which are required to support Enterprise-wide information systems and applications. Its components evolve in response to technology changes, and to the requirements of the applications it must support. Current infrastructure components include the network cabling plant, routers, switches, hubs, Internet connections, remote access servers, firewalls, authentication servers, DNS and DHCP servers, email servers, directory servers, shared file servers, and networked storage and backup.

Infrastructure: See Information Technology (IT) Infrastructure.

IACO: See Information Assurance Compliance Officer.

Owner: See Information System Owner.

Protected Information: Information that, because of its criticality, its sensitivity, and/or legal or regulatory requirements, requires special safeguards.

Repository: Any temporary or permanent storage of information, including RAM, databases, file systems and any kind of portable media.

Risk Analysis: See Risk Assessment.

Risk Assessment: A formal assessment of risks to an information asset, wherein (a) the value of the asset, (b) all known or reasonably anticipated threats to the availability, integrity and confidentiality of the asset, (c) known vulnerabilities of the asset, and (d) the potential impacts of unauthorized or unintended disclosures or modifications, or unavailability or destruction of the asset, are considered, with the findings used to plan and implement safeguards to protect the asset.

Security Incident: See Information Security Incident.

Security Incident Handler: A person responsible for security incident response, who is authorized to access relevant system activity records, and to coordinate all actions needed to limit the impact of a security incident and/or facilitate the recovery of the affected system(s).

System: See Information System.

System Activity Record: A record of the activities that occur within an information system.

System Owner: See Information System Owner.

System Administrator: Someone with an operational management role over an information system. The responsibilities of system administrators are outlined here.

User: Someone authorized to use an information system.

Workforce Member: Employee, volunteer, student, trainee or other person who is under the direct control of the MUSC Enterprise, or any Entity within the MUSC Enterprise, in performance of work for the MUSC Enterprise or the Entity, whether or not he is monetarily compensated for that work.

Workstation: An electronic computing device generally used to support interactive use by a single person at a time, such as a desktop computer, laptop, tablet, or Personal Digital Assistant (PDA).