MUSC Policy: Information Security Documentation

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005


Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.316(b)(1) Standard: Documentation
FTC Safeguards Rule: 314.3(a)


Information security management processes at MUSC must be documented. The types of processes that must be documented include: risk assessments, risk management actions, and changes to security policies and procedures.


3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

In each case, the person responsible for the documentation must ensure that the documentation is (a) made available as needed to all authorized personnel, (b) periodically reviewed, (c) updated as needed in response to environmental or operational changes, and (d) retained for a minimum of six years.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Evaluation


This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.