MUSC Policy: Information Security - Workforce Security

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.308(a)(3)(i) Standard: Workforce security
HIPAA Security: 164.308(a)(3)(ii)(A) Authorization and/or supervision
HIPAA Security: 164.308(a)(3)(ii)(B) Workforce clearance procedures
HIPAA Security: 164.308(a)(3)(ii)(C) Termination procedures
HIPAA Security: 164.308(a)(4)(i) Standard: Information access management
HIPAA Security: 164.308(a)(4)(ii)(B) Access authorization
HIPAA Security: 164.308(a)(4)(ii)(C) Access establishment and authorization
FTC Safeguards Rule: 314.3(b)(3)
FTC Safeguards Rule: 314.4(b)(1)

2. POLICY

Only workforce members with a need to access protected information should be granted such access.

3. PROCEDURE

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

3.2.1. IACOs

Entity IACOs are required to develop and disseminate procedures to ensure that only their entity's workforce members with a need to access protected information are granted such access.

3.2.2. Supervisors and Managers

The supervisors and managers of an Entity's workforce members are responsible for determining and authorizing each assigned workforce member's access to any information system that houses protected information. A workforce member may not authorize his own access to an information system that houses protected information.

The supervisors and managers of an Entity's workforce members are also responsible for updating or withdrawing their assigned workforce member's authorizations as needed to reflect changes in assigned role, or termination from the Entity's workforce. To protect against unauthorized physical access to locations where protected information may be accessible, the manager must also ensure that any terminated workforce member turn in all facility access control mechanisms such as keys and key cards, and that any combination locks and/or other access control codes are changed as necessary. Managers must also ensure the return of any assigned computer equipment.

3.2.3. System Administrators

The System Administrator of each MUSC information system that houses protected information is responsible for ensuring that no workforce member is granted access to protected information unless that access has been authorized by the workforce member's supervisor or manager and further, has not been revoked by the supervisor or manager due to a change in assigned role or workforce membership status.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Access Control
MUSC Information Security Standards: Identity and Access Management

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.