MUSC Policy MUSC-xx: Information Security - Device and Media Controls
Definitions:
- Refer to MUSC Policy MUSC-xx: Information Security: Appendix A.
Policy:
If an MUSC workstation or other system contains (or has ever contained) protected information, then the designated Owner of the system is responsible for ensuring that the device and media controls that govern the receipt, movement, and disposal of the system's hardware and electronic media are sufficient to meet all legal, ethical and business requirements.
The system's device and media controls must govern the disposal and re-use of hardware or media that may contain protected information, and should ensure accountability for any workforce member who moves the system's hardware or media. Controls should also ensure that hardware or media containing protected information is not moved unless a backup copy of the information exists.
The specific media controls used with a system should be guided by the system's Risk Assessment. The System Owner must ensure that appropriate System-specific procedures are created, documented, and followed. See Guidelines for Device and Media Controls [link] for more information.
Sanctions:
- Refer to MUSC Policy MUSC-xx: Information Security: Sanctions.
See Also:
- MUSC Policy MUSC-xx: Information Security
- MUSC Policy MUSC-xx: Information Security - Risk Management
- MUSC Information Technology Guideline: Device and Media Controls
References:
- HIPAA Security 164.310(d)(1) Standard: Device and media controls
- HIPAA Security 164.310(d)(2)(i) Disposal
- HIPAA Security 164.310(d)(2)(ii) Media Re-use
- HIPAA Security 164.310(d)(2)(iii) Accountability
- HIPAA Security 164.310(d)(2)(iv) Data backup and storage
- GLBA Safeguards Rule: 314.4(b)(2)
$Id: device-and-media-controls.html,v 1.3 2004/12/10 19:45:52 gadsden Exp $