Information System Activity Review [Policy #2005-07]

A.     EFFECTIVE DATE : July 9, 2018
B.      POLICY SPONSOR: Vice President & Chief Information Officer
C.      PURPOSE : To establish requirements for the creation of electronic log files required for reviewing system and user activity to detect and respond anomalous system activity and/or inappropriate access to, or use of, information systems or data in accordance with regulatory requirements applicable to the clinical enterprise.
D.     POLICY : 1.      IT resources that store, access, or transmit confidential data shall electronically log activity into created log files.

2.      Electronic log file generation, transmission, storage, analysis and disposal will be performed in accordance with UConn Health Audit and Logging Standards.

3.      Data Stewards, or their designees, are responsible for developing and implementing procedures for periodically examining information systems and log files for access control discrepancies, breaches and policy violations.

4.      System activity reviews shall be performed weekly. More frequent reviews may be required based on the system criticality and nature of data transmitted, maintained, processed or accessed on/from the electronic resource.

5.      Electronic log files will be retained in accordance with regulatory and statutory requirements.

E.      SCOPE : This policy applies to all UConn Health Workforce, Business Associates, Non-Workforce and all other individuals granted access to UConn Health electronic resources. This policy also applies to all computing and network equipment and software owned, leased, operated or contracted by UConn Health.
F.      PROCEDURES, GUIDELINES AND PROTOCOLS : Information System Audit Log Standards and Procedures – (Restricted Access – Contact Information Security Office)
G.     REFERENCES : State of Connecticut HIPAA Security Policy

45 C.F.R. § 164.308(a) (1) (ii) (D)

State of Connecticut State Agencies’ Record Schedule S6

Information System Audit Log Standards and Procedures

H.     RELATED POLICIES : UConn Health 2003-31 Data Classification and Use Policy
I.       SEARCH WORDS : Audit, Logging, Activity Review
J.       ENFORCEMENT: Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, the University of Connecticut Student Code, other applicable University Policies, or as outlined in the procedures document related to this policy.
K.      APPROVED: By:  Scott Jordan, Executive VP for Administration and CFO

Date:   12/05/18


By:  Alan Calandro, Administrative Policy Committee Chair

Date:  12/05/18

L.      REVISION HISTORY : 1.      New Policy Approved: 1/28/05

2.      Revised: 7/9/18

3.      Revised: 12/4/18