MUSC Policy: Information Security - Access Control

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.312(a)(1) Standard: Access control
HIPAA Security: 164.312(a)(2)(i) Unique user identification
HIPAA Security: 164.312(a)(2)(ii) Emergency access procedure
HIPAA Security: 164.312(a)(2)(iii) Automatic logoff
HIPAA Security: 164.312(a)(2)(iv) Encryption and decryption
HIPAA Security: 164.308(a)(5)(ii)(C) Log-in monitoring
HIPAA Security: 164.308(a)(5)(ii)(D) Password management
FTC Safeguards Rule: 314.3(b)(3)

2. POLICY

If an MUSC System may be used to house protected information, then the System's access control policies and procedures must enforce the principle that access to protected information must be restricted to authorized users of the information.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

3.2.1. System Owners

If an MUSC System may be used to house protected information, then the designated Owner of the System is responsible for ensuring that access to the System is controlled, and that access to the System's protected information is restricted to authorized users of the information.

The Owner of the System is responsible for ensuring that the following specific objectives are met:

3.2.2. System Users

Each User of the System is required to:

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Workforce Security
MUSC Policy: Information Security - Person or Entity Authentication
MUSC Policy: Information Security - Encryption
MUSC Information Security Standards: Identity and Access Management

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.