|TITLE: Information Security||ID:|
|ORIGINATOR: Information Security Office||DATE: Jan 5, 2005|
|REVIEWED: President's Council||DATE: Feb 16, 2005|
|APPROVED: Raymond S. Greenberg, MD, PhD||DATE: Feb 16, 2005|
|IMPLEMENTATION: Enterprise-wide||DATE: Feb 16, 2005|
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
Only workforce members with a need to access protected information should be granted such access.
Entity IACOs are required to develop and disseminate procedures to ensure that only their entity's workforce members with a need to access protected information are granted such access.
The supervisors and managers of an Entity's workforce members are responsible for determining and authorizing each assigned workforce member's access to any information system that houses protected information. A workforce member may not authorize his own access to an information system that houses protected information.
The supervisors and managers of an Entity's workforce members are also responsible for updating or withdrawing their assigned workforce member's authorizations as needed to reflect changes in assigned role, or termination from the Entity's workforce. To protect against unauthorized physical access to locations where protected information may be accessible, the manager must also ensure that any terminated workforce member turn in all facility access control mechanisms such as keys and key cards, and that any combination locks and/or other access control codes are changed as necessary. Managers must also ensure the return of any assigned computer equipment.
The System Administrator of each MUSC information system that houses protected information is responsible for ensuring that no workforce member is granted access to protected information unless that access has been authorized by the workforce member's supervisor or manager and further, has not been revoked by the supervisor or manager due to a change in assigned role or workforce membership status.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.