MUSC Policy MUSC-xx: Information Security - Access Control

Definitions:

Refer to MUSC Policy MUSC-xx: Information Security: Appendix A.

Policy:

If an MUSC System may be used to house protected information, then the designated Owner of the System is responsible for ensuring that access to the System is controlled. The System's access control policies and procedures must enforce the principle that access to protected information must be restricted to authorized users of the information.

The Owner of the System is responsible for ensuring that the following specific objectives are met:

  • Users of the System are assigned unique identifiers to enable tracking of their access to protected information.
  • Procedures for the proper management of the passwords, access codes, and/or other tokens that are assigned to users are documented.
  • User sessions that may provide access to protected information are automatically terminated after a predetermined period of inactivity.
  • Procedures exist to allow authorized users to obtain access to protected information in an emergency.
  • Encryption is used whenever reasonable and appropriate to restrict access to protected information.

Each User of the System is required to:

  • Properly manage his password, access codes, and/or other tokens, following the procedures documented for the System
  • Report any apparent discrepancies in the use of the account to the System Administrator for the System.

Sanctions:

Refer to MUSC Policy MUSC-xx: Information Security: Sanctions.

See Also:

MUSC Policy MUSC-xx: Information Security
MUSC Policy MUSC-xx: Information Security - Risk Management
MUSC Policy MUSC-xx: Information Security - Workforce Security

References:

HIPAA Security 164.312(a)(1) Standard: Access control
HIPAA Security 164.312(a)(2)(i) Unique user identification
HIPAA Security 164.312(a)(2)(ii) Emergency access procedure
HIPAA Security 164.312(a)(2)(iii) Automatic logoff
HIPAA Security 164.312(a)(2)(iv) Encryption and decryption
HIPAA Security 164.308(a)(5)(ii)(C) Log-in monitoring
HIPAA Security 164.308(a)(5)(ii)(D) Password management
GLBA Safeguards Rule: 314.3(b)(3)
$Id: access-control.html,v 1.4 2004/12/10 19:45:52 gadsden Exp $