|TITLE: Information Security||ID:|
|ORIGINATOR: Information Security Office||DATE: Jan 5, 2005|
|REVIEWED: President's Council||DATE: Feb 16, 2005|
|APPROVED: Raymond S. Greenberg, MD, PhD||DATE: Feb 16, 2005|
|IMPLEMENTATION: Enterprise-wide||DATE: Feb 16, 2005|
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
Each MUSC Information System must have audit controls that are sufficient to meet all legal, ethical, and business requirements. System activity records must be regularly reviewed by the appropriate personnel.
The designated Owner of each MUSC Information System is responsible for ensuring that the system's audit controls are sufficient to meet all legal, ethical and business requirements. The System Owner is required to ensure that system activity records are regularly reviewed by the appropriate personnel.
The types of system activities that are recorded, and the manner and frequency of their regular review, should be guided by the System Owner's Risk Assessment. The System Owner should ensure that System-specific procedures for the creation, retention and regular review of system activity records are documented and followed.
The System Owner, and the designated System Administrator, must also make system activity records available upon request by other authorized personnel, including the Enterprise ISO, the Entity IACOs, and authorized CSIRT personnel, for use in verifying that the system is being operated and used in compliance with applicable laws, regulations, and policies.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.