MUSC Policy MUSC-xx: Information Security - Access Control
Definitions:
- Refer to MUSC Policy MUSC-xx: Information Security: Appendix A.
Policy:
If an MUSC System may be used to house protected information, then the designated Owner of the System is responsible for ensuring that access to the System is controlled. The System's access control policies and procedures must enforce the principle that access to protected information must be restricted to authorized users of the information.
The Owner of the System is responsible for ensuring that the following specific objectives are met:
- Users of the System are assigned unique identifiers to enable tracking of their access to protected information.
- Procedures for the proper management of the passwords, access codes, and/or other tokens that are assigned to users are documented.
- User sessions that may provide access to protected information are automatically terminated after a predetermined period of inactivity.
- Procedures exist to allow authorized users to obtain access to protected information in an emergency.
- Encryption is used whenever reasonable and appropriate to restrict access to protected information.
Each User of the System is required to:
- Properly manage his password, access codes, and/or other tokens, following the procedures documented for the System
- Report any apparent discrepancies in the use of the account to the System Administrator for the System.
Sanctions:
- Refer to MUSC Policy MUSC-xx: Information Security: Sanctions.
See Also:
- MUSC Policy MUSC-xx: Information Security
- MUSC Policy MUSC-xx: Information Security - Risk Management
- MUSC Policy MUSC-xx: Information Security - Workforce Security
References:
- HIPAA Security 164.312(a)(1) Standard: Access control
- HIPAA Security 164.312(a)(2)(i) Unique user identification
- HIPAA Security 164.312(a)(2)(ii) Emergency access procedure
- HIPAA Security 164.312(a)(2)(iii) Automatic logoff
- HIPAA Security 164.312(a)(2)(iv) Encryption and decryption
- HIPAA Security 164.308(a)(5)(ii)(C) Log-in monitoring
- HIPAA Security 164.308(a)(5)(ii)(D) Password management
- GLBA Safeguards Rule: 314.3(b)(3)
$Id: access-control.html,v 1.4 2004/12/10 19:45:52 gadsden Exp $