MUSC Policy: Information Security

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.308(a)(1) Security Management Process
HIPAA Security: 164.308(a)(2) Assigned Security Responsibility
HIPAA Security: 164.308(a)(8) Evaluation
FTC Safeguards Rule: 314.3(a)
FTC Safeguards Rule: 314.3(b)
FTC Safeguards Rule: 314.4(a)
FTC Safeguards Rule: 314.4(b)

2. POLICY

MUSC's information is an important asset. Appropriate safeguards are required to protect MUSC's information assets against reasonably anticipated threats to their availability, integrity, and confidentiality.

All faculty, students and staff share in the responsibility for the protection of all of MUSC's information assets.

The protection of each of MUSC's information resources must be based upon sound risk management principles, to ensure that protective measures are reasonable and appropriate, and are commensurate with the value, sensitivity, and criticality of the resource. In addition, protective measures must meet all applicable regulatory and legal requirements.

This policy applies across all the entities that comprise the MUSC Enterprise. It applies to all information resources, whether on campus or accessed from remote locations. These resources include all information, data, computers, computer systems, and networks, that are acquired, developed, or maintained in direct or indirect support of MUSC's mission.

3. PROCEDURES

3.1. Definitions

Please refer to Appendix A.

3.2. Assigned Responsibilities

3.2.1. Office of the Chief Information Officer (OCIO)

The Office of the CIO (OCIO) for the MUSC Enterprise will designate an Enterprise Information Security Officer (ISO), to whom the following responsibilities are assigned:

3.2.2. System Owners

From its inception, each Information System that is implemented and used within the MUSC Enterprise must have a designated Owner. The Owner of an Information System is responsible for:

3.2.3. System Administators

The Owner of each Information System within the MUSC Enterprise must designate a System Administrator, who is responsible for:

3.2.4. Information System Users

All faculty, students and staff across the MUSC Enterprise are responsible for:

3.3. Sanctions

Any employee of any Entity within the MUSC Enterprise who violates an information security policy is subject to disciplinary action, as specified in the Human Resource policies and procedures for the Entity.

Any MUSC faculty member who violates an information security policy is subject to disciplinary action, following the procedures specified in the MUSC Faculty Handbook.

Any MUSC student who violates an information security policy is subject to disciplinary action, following the procedures specified in the MUSC Bulletin.

3.4. See Also

MUSC Computer Use Policy
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Asset Inventory and Classification
MUSC Policy: Information Security - Data Protection
MUSC Policy: Information Security - Evaluation
MUSC Policy: Information Security - Workforce Security
MUSC Policy: Information Security - Awareness and Training
MUSC Policy: Information Security - Incident Response
MUSC Policy: Information Security - Contingency Plan
MUSC Policy: Information Security - Workstation Use
MUSC Policy: Information Security - Device and Media Controls
MUSC Policy: Information Security - Access Control
MUSC Policy: Information Security - Network Access
MUSC Policy: Information Security - Audit Controls
MUSC Policy: Information Security - Person or Entity Authentication
MUSC Policy: Information Security - Data Integrity
MUSC Policy: Information Security - Encryption
MUSC Policy: Information Security - Documentation

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.


Appendix A: Definitions

Access Control
1. Security procedures implemented to control the ability of persons or other agents to physically and/or logically access or interact with information systems, services, or other assets. 2. The process of limiting access to resources, to authorized users, programs, processes, or other networks.
Audit Control
Security procedures for recording and examining system activity to verify compliance with security policy. These procedures typically include hardware, software, and procedural elements.
Authentication
1. Corroboration that a person is the one claimed. 2. A security measure intended to establish the validity of a message or its originator.
Authorization
A permission to access or operate upon an information resource in a defined manner, or the act of granting such a permission.
Authorizer
Someone permitted by the System Owner to authorize system access requests.
Compliance
Obedience to an applicable law, regulation, policy, or standard of conduct.
Computer Security Incident Response Team (CSIRT)
The organizational unit responsible for coordinating the response to an information security incident. The role of MUSC's CSIRT is defined in the Incident Response policy.
Contingency Plan
A set of procedures, policies and record keeping activities intended to ensure that information systems and their data are recoverable in the event of major system failure or disaster, and to safeguard the continuity of mission critical business operations during such events.
Data Custodian
Someone with an operational management role over a repository.
End-User Device
A computing, communications, or storage device that is operated by an end-user. Includes desktop computers, laptops, tablets, PDAs, and other types of workstations, as well as thumb drives, memory cards, and communication devices such as cell phones or smart phones. May be personally or institutionally owned or managed.
Incident
See Information Security Incident.
Information Security
1. The result of the continuous meeting or surpassing of a set of objectives that address information availability, confidentiality, and itegrity. 2. Reliability of an information system in spite of attacks, accidents, and errors.
Information Security Incident
A violation, or an imminent threat of violation, of computer security policies, acceptable use policies, or standard security practices. Examples of type of incidents include: denial of service, malicious software, unauthorized access, and inappropriate use of resources.
Information System
1. A human and technical infrastructure for the storage, processing, transmission, input and output of information. 2. A set of components, used together to accomplish a specific function, or a set of related functions. Components may include computer hardware, software, operational procedures for data entry/update/import, query/reporting/export, and other manual or automated operational procedures.
Information System Owner
An individual or group responsible for critical decisions regarding an information system's use or function, including discontinuation of the system. The responsibilities of System Owners at MUSC are outlined here.
Information Technology (IT) Infrastructure
MUSC's IT infrastructure consists of those shared (community) resouces which are required to support Enterprise-wide information systems and applications. Its components evolve in response to technology changes, and to the requirements of the applications it must support. Current infrastructure components include the network cabling plant, routers, switches, hubs, Internet connections, remote access servers, firewalls, authentication servers, DNS and DHCP servers, email servers, directory servers, shared file servers, and networked storage and backup.
Infrastructure
See Information Technology (IT) Infrastructure.
Owner
See Information System Owner.
Protected Information
Information that, because of its criticality, its sensitivity, and/or legal or regulatory requirements, requires special safeguards.
Repository
Any temporary or permanent storage of information, including RAM, databases, file systems and any kind of portable media.
Risk Analysis
See Risk Assessment.
Risk Assessment
A formal assessment of risks to an information asset, wherein (a) the value of the asset, (b) all known or reasonably anticipated threats to the availability, integrity and confidentiality of the asset, (c) known vulnerabilities of the asset, and (d) the potential impacts of unauthorized or unintended disclosures or modifications, or unavailability or destruction of the asset, are considered, with the findings used to plan and implement safeguards to protect the asset.
Security Incident
See Information Security Incident.
Security Incident Handler
A person responsible for security incident response, who is authorized to access relevant system activity records, and to coordinate all actions needed to limit the impact of a security incident and/or facilitate the recovery of the affected system(s).
System
See Information System.
System Activity Record
A record of the activities that occur within an information system.
System Owner
See Information System Owner.
System Administrator
Someone with an operational management role over an information system. The responsibilities of system administrators are outlined here.
User
Someone authorized to use an information system.
Workforce Member
Employee, volunteer, student, trainee or other person who is under the direct control of the MUSC Enterprise, or any Entity within the MUSC Enterprise, in performance of work for the MUSC Enterprise or the Entity, whether or not he is monetarily compensated for that work.
Workstation
An electronic computing device generally used to support interactive use by a single person at a time, such as a desktop computer, laptop, tablet, or Personal Digital Assistant (PDA).