MUSC Policy MUSC-xx: Information Security Documentation
Definitions:
- Refer to MUSC Policy MUSC-xx: Information Security: Appendix A.
Policy:
Information security management processes at MUSC must be documented. The types of processes that must be documented include: risk assessments, risk management actions, and changes to security policies and procedures:
- System Owners are responsible for documenting their risk assessments.
- Management is required to document its risk management actions.
- The maintainer of a security policy or procedure is required to document changes to the policy or procedure.
In each case, the person responsible for the documentation must ensure that the documentation is (a) made available as needed to all authorized personnel, (b) periodically reviewed, (c) updated as needed in response to environmental or operational changes, and (d) retained for a minimum of six years.
Sanctions:
- Refer to MUSC Policy MUSC-xx: Information Security: Sanctions.
See Also:
- MUSC Policy MUSC-xx: Information Security
- MUSC Policy MUSC-xx: Information Security - Risk Management
- MUSC Policy MUSC-xx: Information Security - Evaluation
References:
- HIPAA Security 164.316(b)(1) Standard: Documentation
- GLBA Safeguards Rule: 314.3(a)
$Id: documentation.html,v 1.7 2004/12/10 19:45:52 gadsden Exp $