MUSC Policy MUSC-xx: Information Security - Audit Controls
Definitions:
- Refer to MUSC Policy MUSC-xx: Information Security: Appendix A.
Policy:
The designated Owner of each MUSC Information System is responsible for ensuring that the system's audit controls are sufficient to meet all legal, ethical and business requirements. The System Owner is required to ensure that system activity records are regularly reviewed by the appropriate personnel.
The types of system activities that are recorded, and the manner and frequency of their regular review, should be guided by the System Owner's Risk Assessment. The System Owner should ensure that System-specific procedures for the creation, retention and regular review of system activity records are documented and followed. See [GUIDELINES FOR AUDIT CONTROLS] for further information.
The System Owner, and the designated System Administrator, must also make system activity records available upon request by other authorized personnel, including the Enterprise ISO, the Entity IACOs, and authorized CSIRT personnel, for use in verifying that the system is being operated and used in compliance with applicable laws, regulations, and policies.
Sanctions:
- Refer to MUSC Policy MUSC-xx: Information Security: Sanctions.
See Also:
- MUSC Policy MUSC-xx: Information Security
- MUSC Policy MUSC-xx: Information Security - Risk Management
- MUSC Policy MUSC-xx: Information Security - Incident Response
References:
- HIPAA Security 164.312(b) Standard: Audit Controls
- HIPAA Security 164.308(a)(1)(ii)(D) Information System Activity Review
- HIPAA Security 164.308(a)(1)(ii)(A) Risk analysis
- GLBA Safeguards Rule: 314.4(b)(3)
$Id: audit-controls.html,v 1.6 2004/12/10 19:45:52 gadsden Exp $