MUSC Policy: Information Security - Risk Management

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.308(a)(1)(i) Security management process
HIPAA Security: 164.308(a)(1)(ii)(A) Risk analysis
HIPAA Security: 164.308(a)(1)(ii)(B) Risk management
FTC Safeguards Rule: 314.4(b)

2. POLICY

The designated Owner of each MUSC Information System is required to conduct Risk Assessments at appropriate points in the system's lifecycle, beginning prior to the system's implementation, to ensure that all reasonably anticipated risks to information availability, integrity, and confidentiality are identified, analyzed, and appropriately managed.

The System Owner is required to ensure that security safeguards are implemented and maintained, to reduce risks to reasonable and appropriate levels, and to comply with applicable laws, regulations, and policies.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.3. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Documentation
MUSC Policy: Information Security - Evaluation
MUSC Information Security Standards: Risk Management
MUSC Information Security Guidelines: Risk Management

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.