MUSC Policy: Information Security - Awareness and Training

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.308(a)(5)(i) Standard: Awareness and training
HIPAA Security: 164.308(a)(5)(ii)(A) Security reminders
HIPAA Security: 164.308(a)(5)(ii)(B) Protection from malicious software
HIPAA Security: 164.308(a)(5)(ii)(C) Log-in monitoring
HIPAA Security: 164.308(a)(5)(ii)(D) Password management
FTC Safeguards Rule: 314.4(b)(1)

2. POLICY

Each MUSC Entity's workforce member should meet information security training requirements that are appropriate for the workforce member's level of knowledge, experience, and responsibilities.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

3.2.1. Supervisors and Managers

The managers and supervisors of each MUSC Entity's workforce members are responsible for ensuring that each workforce member has completed all current information security training requirements, and that the requirements met are appropriate for the workforce member's level of knowledge, experience, and responsibilities. Each workforce member's awareness and training program should consist of at least three types of activities:

3.2.2. IACOs

Each Entity's IACO is responsible for informing the Entity's managers and supervisors of current training requirements, training programs, and available documentation. Each MUSC Entity's training program should cover all MUSC information security policies, and any Entity-specific policies and procedures.

3.2.3. System Owners

System Owners are responsible for ensuring that each authorized User of the System has access to appropriate System-specific training resources and materials.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.