MUSC Policy: Information Security - Audit Controls

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.312(b) Standard: Audit Controls
HIPAA Security: 164.308(a)(1)(ii)(D) Information System Activity Review
HIPAA Security: 164.308(a)(1)(ii)(A) Risk analysis
FTC Safeguards Rule: 314.4(b)(3)

2. POLICY

Each MUSC Information System must have audit controls that are sufficient to meet all legal, ethical, and business requirements. System activity records must be regularly reviewed by the appropriate personnel.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

The designated Owner of each MUSC Information System is responsible for ensuring that the system's audit controls are sufficient to meet all legal, ethical and business requirements. The System Owner is required to ensure that system activity records are regularly reviewed by the appropriate personnel.

The types of system activities that are recorded, and the manner and frequency of their regular review, should be guided by the System Owner's Risk Assessment. The System Owner should ensure that System-specific procedures for the creation, retention and regular review of system activity records are documented and followed.

The System Owner, and the designated System Administrator, must also make system activity records available upon request by other authorized personnel, including the Enterprise ISO, the Entity IACOs, and authorized CSIRT personnel, for use in verifying that the system is being operated and used in compliance with applicable laws, regulations, and policies.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Incident Response

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.