RE: retention of documentation

[Bob Starling]

In the Guidelines for Academic Medical Centers on Security and Privacy published by the Association for American Medical Colleges, with regard to audit controls they state:   The required retention period for audit log data may vary. In general, at least several months of data are necessary to adequately investigate instances of inappropriate access. The National Industrial Security Program, which oversees the protection of U.S. government classified information, requires at least six months of log data. This may be a reasonable and defensible goal for Academic Medical Centers as well. Also see: SEC.06 Internal Audit, SEC.09 Security Incident Procedures, PRIV.53 Complaints, and PRIV.54 Sanctions.   Bob Starling, Information Services, VP5 Cincinnati Children's Hospital Medical Center (Mail Location Code 9009) 3333 Burnet Avenue Cincinnati, OH 45229-3039 Phone: 513.636.7519 Fax: 513.636.7504 Page: 513.670.4519 (business hours only) Email: [EMAIL PROTECTED]   If you want to send a text message to my pager, please use the following email address: [EMAIL PROTECTED] >>> "Street, Bunny" <[EMAIL PROTECTED]> 3/12/02 10:21:44 AM >>> Although the security regs are in proposed status, is anyone aware of references to retention requirements for documentation; such as how long should audit information be retained?  Thanks Leslie Street Privacy Specialist Mountain States Health Alliance Johnson City, TN 36704 423-431-1661 [EMAIL PROTECTED] ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.