Skip to content Skip to navigation


Round II of Microsoft Office 365 migrations complete

July 21, 2015

On Sunday, July 20, University IT completed round two of the Zimbra email and calendar migration to Microsoft Office 365. 1,882 accounts were migrated to the new email and calendar service. The departments and units that were migrated include:  Business Affairs; Dean of Research; SE3 (and postdocs); and a small group of other Stanford affiliates.  

To find out when your area migrates to Office 365, visit the Office 365 service page.

University IT Monthly Rates to Hold Steady in FY16

June 24, 2015

We are pleased to let you know that all monthly rates will hold steady through FY16 for services we provide to university departments and organizations!

Many factors impact the rates we charge — usage volumes increase and decrease, staff salaries rise, and advances in technology and operational improvements often result in cost-saving  efficiencies, just to name a few. As we looked at these factors this year, we found that those resulting in increased expenses could be offset by others where we could achieve cost savings. The result is that we will not raise any of our monthly service rates in FY16. Since monthly service rates affect the bulk of your University IT charges, we hope this is welcomed news. 

A few one-time rates will change beginning September 1, 2015. You can always see our current rates at the rates section of our website.   
A note for those departments and administrative units that consolidate their University IT-provided telephone, network, and video services into a single Converged Communications fee: While the FY16 Converged Communication rate will remain the same, we will be conducting our annual review in the coming weeks to account for any volume increases or decreases that may impact your charges. We will share FY16 Converged Communications fee updates via a separate email communication. 
Everyone in University IT is committed to providing you with the highest value services possible. We hope this rate information is helpful as you plan your next year's budget. 

Sam Steinhardt joins the Office of the CIO

June 11, 2015

In forming University IT just over a year ago, our goal has been to provide the most seamless experience that we can for clients across campus. To further increase our operational effectiveness, efficiency, consistency, and integration, I am creating a University IT Shared Services unit to provide non-technical shared support. 

I’m pleased to announce that Sam Steinhardt will become the Assistant Vice President for University IT Shared Services, effective Monday, June 15, 2015. Sam will report to me, and will join the Office of the CIO.  

The University IT Shared Services organization will include:

  • Finance, led by Molly Reynick
  • Vendor Management, led by Tracy Yuan
  • Business Partners, led by John Freshwaters
  • Communications, led by Jim Knox
  • Service Management, led by Kathy Pappas Kassaras

Combining the Financial and Vendor units will create greater efficiencies with respect to the management of University IT financial resources. Bringing the Business Partners and Communications units together will continue to develop a single voice to the Stanford community. Service Management will help create consistent systems and processes across University IT. The University IT Finance function will continue to have a secondary reporting relationship to Noel Hirst, Assistant Vice President for Business Affairs Finance and Facilities.

Sam has worked closely with clients to simplify business operations and to consolidate campus spending. He recently led a team of eight leaders from across University IT to better align the three organizations of Administrative Systems, the Information Security Office, and IT Services. To this new role, Sam brings business savvy, strategic perspective, and a dedication to continuous improvement.  

Please join me in welcoming Sam to his new role. 


Randy Livingston
Vice President for Business Affairs and CFO

Issues accessing email and calendar from mobile devices

May 22, 2015

Dear Stanford mobile device user community,

During a planned upgrade to Stanford’s Mobile Device Management system (AirWatch) on the morning of May 22nd, your mobile device may have been disconnected from Stanford email, calendar and contacts. We apologize for this, and we assure you that no data has been lost.

You will need to re-enter your Stanford password in order to reload the data to your mobile device. It may take a while to fully resynchronize your data, so we recommend connecting to a WiFi network to expedite the process. You can re-enter your password on Apple devices under: Settings --> Mail, Contacts, Calendars --> Stanford Mail --> Account --> Password.

If you need additional assistance, please contact the Service Desk at 725-HELP (4357) or submit a help request at

Certificate warnings in Chrome 42

April 20, 2015

Google released Chrome 42 last week, and as users have upgraded, they've seen a warning about the SSL certificates installed on a number of Stanford websites. A red X and line appear in the lock icon and "https" of the URL.

This warning is displayed for certificates that are signed with an older encryption algorithm. It is not an indication that there's a current security problem with the site or certificate—this is Chrome's way of encouraging more rapid adoption of stronger encryption.

While new certificates that Stanford issues are signed with stronger encryption methods, issues with some older operating systems and applications prevent University IT from deploying newer certificates across all sites right now.

In the meantime, this specific warning in Chrome 42 and later versions can be safely ignored. For more information about this warning and the reasons behind it, please see this post from Google's security blog.

If you have any questions, please submit a HelpSU request.

Blue Jeans and Google Chrome v42 and higher

April 13, 2015

Important!  The new Google Chrome browser version 42 and higher will no longer work with live Blue Jeans meetings.  If you try to join a Blue Jeans meeting in Chrome v42 and higher, Blue Jeans will redirect the meeting from your Chrome browser to your operating system's pre-installed browser (Mac=Safari, Windows=Internet Explorer, or Linux=Firefox). Click here for more details.


Important! Upgraded version of Google Chrome will impact Blue Jeans Users

March 17, 2015
In an upcoming version of Google Chrome -- possibly version 43, expected on or around April 1st -- Google is expected to make changes that will impact Blue Jeans users. 
Although you can continue to use Chrome as your default browser to access My Meetings, pair with room systems, and conduct scheduling, administrative, and reporting tasks, this upcoming version of Chrome will no longer support the live "in-meeting" experience in a browser window. Google has postponed this change in the past, so Blue Jeans is watching closely for additional news about Chrome 43.

 Meanwhile, Blue Jeans is preparing to release a new Blue Jeans application to support the live in-meeting experience for Chrome users. Please read the Blue Jeans FAQ for information on how to minimize any inconvenience for those who use Chrome with Blue Jeans.

Moving from Drupal 6 to Drupal 7

March 9, 2015

Drupal community support for Drupal 6 is expected to end soon. For information security reasons, University IT strongly recommends migrating Drupal 6 sites to Drupal 7 as soon as possible rather than waiting until support for Drupal 6 ends.

Migrating your site to Drupal 7 is not an automated process and could take up to several weeks or months, depending on the size of your site. For more information on how to migrate your Drupal 6 site to Drupal 7, go to

March University IT Newsletter Available

March 3, 2015

University IT is a collaborative partnership of the three IT units within Stanford’s Business Affairs organization, all dedicated to delivering world-class service and technological solutions in support of research, teaching and learning, administration, and healthcare.

The March issue of the University IT newsletter is now available.

Access to Restricted Library Journals From Off-Campus

December 19, 2014

Stanford University Libraries (SUL) is updating the method by which authorized community members access restricted journals from off-campus.

Rather than using Stanford's VPN (Virtual Private Network),  SUL wants community members to use its EZProxy service:

The community is encouraged to use this new method immediately.

Two-Step Authentication Service Enhanced

December 18, 2014


Stanford University IT

Two-Step Authentication Service Enhanced

Last weekend, University IT rolled out the new Two-Step Authentication service powered by Duo Security. With this enhancement to the service, you have new options for two-step authentication, including:

  • Duo push notification — A push notification is sent to your smartphone or tablet. No more typing in codes!
  • Duo passcode — A six-digit authentication code is generated on your smartphone or tablet and you simply type the code in WebLogin to authenticate. Internet or cellular access is not required.
  • Phone call — You receive an automated phone call to a number you designated earlier. After answering, you press any key to confirm your identity and authenticate.

You can still use SMS text message, Google Authenticator (if you had already set it up prior to this service upgrade) and Printed List (though this will be phased out in 2015 and replaced by a hardware token that generates authentication codes).

A couple of other great features of the new service are:

  • a backup option that allows you to use a secondary two-step authentication device if your primary device is not available; and
  • a self-service "one-time-use" passcode option that allows you to generate an authentication code when you don't have access to your primary or secondary two-step authentication device (e.g., you left your smartphone at home). You must have your Stanford ID card available to complete the passcode.

Additionally, with the university now using Duo, faculty, staff, or students who have a dual affiliation with Stanford Children's Health can use the Duo app to authenticate in the same way with either institution's systems by simply adding an account to the Duo app. Stanford Health Care is currently testing Duo. When it goes live, Stanford community members can add the SHC account to their Duo app as well.

Please go in to and try any of the new methods and set up your backup device. Encourage your staff and colleagues to do the same. The instructions are available from the new Two-Step Authentication service site.

You may also notice that University IT updated the look of WebLogin. The new screens now align with Stanford's latest identity guidelines.

We hope you find the new Two-Step Authentication service and the new WebLogin screens make it easier for you to help us protect Stanford's data and resources.

If you have any questions, please submit a help request.


Drupal 6 on the Collaboration Tools Installer retiring

December 17, 2014

This is a notification that the Drupal community will stop releasing updates for Drupal 6 sites about three months after the release of Drupal 8, which is likely to be released in the next year. University IT will continue to test and provide updates to Drupal 6 sites through the upgrade tool as long as the Drupal community releases them. While University IT will not support any new Drupal 6 installs through the Collaboration Tools Installer, University IT will not take down any existing Drupal 6 sites.

University IT strongly recommends upgrading to Drupal 7 soon and not waiting until after Drupal 8 is released. Stanford faculty, staff, and students who are interested in starting a Drupal site are encouraged to use Stanford Sites, a self-service tool for building Drupal 7 websites.

For more information on navigating to Drupal 7, see Moving From Drupal 6 to Drupal 7.

MediaWiki on the Collaboration Tools Installer retiring

December 17, 2014

University IT no longer supports installs and upgrades for MediaWiki through the Collaboration Tools Installer and Upgrader. You may continue to run your existing site; however, you are responsible for keeping MediaWiki software for that site up-to-date (see for more information) and adjusting settings to make it compatible with Stanford's web infrastructure.

As an alternative, University IT offers Confluence, a more supported wiki environment, which allows any authorized user to add, delete, or revise content via a web browser. Confluence is available to Stanford users only.

If you are using MediaWiki as the foundation for a website, a better Stanford option is Stanford Sites, a self-service tool for building and managing websites. Stanford Sites is available to current faculty, staff, and students free of charge.

WebEx Retirement

December 5, 2014

Effective December 5, 2014, University IT will no longer support or offer WebEx licenses. Current WebEx users are encouraged to use BlueJeans, which is provided at no cost to all faculty, staff, and students.

After December 5, 2014, the Stanford University WebEx site will no longer be accessible.

Please contact Gino Piccardo at WebEx if you want to obtain a department license.

University IT support coverage for winter closure

November 26, 2014

Stanford University suspends operations, where feasible, during the winter holiday season, 5 p.m. Friday, December 19, 2014 through Friday, January 2, 2015. Accordingly, many University IT offices will close or provide limited support during winter closure. We will resume full support on Monday, January 5, 2015 at 8 a.m.

More information about service orders, support, and system outages is available at

Note: Monitoring and support for critical services will be maintained throughout winter closure.

Two-Step Authentication SMS Text Message Codes Update

November 14, 2014

On Sunday, November 16, 2014, the SMS text message codes you receive for your Two-Step Authentication will increase from 6 digits to 7 digits.  Additionally, you will receive the message from a 313 area code (previously 650). 

November University IT Newsletter Available

November 3, 2014

University IT is a collaborative partnership of the three IT units within Stanford’s Business Affairs organization, all dedicated to delivering world-class service and technological solutions in support of research, teaching and learning, administration, and healthcare.

The November issue of the University IT newsletter is now available. Online Training Available at No Charge

November 1, 2014

University IT is tremendously excited to let you know that the service is now available for free at Stanford.

Thanks in part to the generous support of many campus partners, Stanford faculty, staff, and students can start using this highly-respected service to spur their learning and development, as well as get just-in-time help on subjects that include business, design, digital media, web development, and so much more. There are over 3,000 titles "chunked" into short topic-based videos that your colleagues can access at their convenience, 24x7.

To get started, faculty, staff, and students to go to:

Those already using will have the option of merging their existing account information into their Stanford account. New users can simply create their Stanford account. Any additional support is available easily from the resources available at the site.

University IT Website and Newsletter Launches

October 1, 2014

University IT is a collaborative partnership of the three IT units within Stanford’s Business Affairs organization, all dedicated to delivering world-class service and technological solutions in support of research, teaching and learning, administration, and healthcare.

University IT has just launched a new website and newsletter.

Amazon Web Services (AWS) Enterprise Agreement

September 3, 2014

In early September 2014, current Amazon Web Services (AWS) account holders should have received an email directly from AWS, on Stanford’s behalf, informing them of the new Enterprise Agreement negotiated between AWS and Stanford University as of May 2014. Learn more.

Free Video Conferencing (BlueJeans) now available!

September 2, 2014

As part of the Converged Communication package, BlueJeans audio/video conferencing service is now available to all current faculty, staff, and students at no cost.  To access your BlueJeans account, go to and log in with your Stanford SUNet ID. Upcoming training sessions are available. See the BlueJeans training schedule for more information.  For more information, visit:

Encrypting Employee Laptop and Desktop Computers

August 5, 2014

Dear Colleague:

Proactively encrypting your laptop and desktop computers is the single most important step you can take to protect your information and the University's data in the event the device is lost or stolen. The University has established a goal of verifiably encrypting all faculty, staff, and postdoc Macintosh and Windows computers by May 31, 2015, and we are asking you to begin now using one of three options presented below. This requirement applies to both Stanford and personally owned computers that will continue to be used for Stanford activities on the campus network, other than those granted exceptions due to special research requirements. Anyone who stores, transmits, or accesses High Risk Data information as defined under the Risk Classifications should have all data encrypted now and not wait until the May 31, 2015 deadline.

As you may know, an Ad Hoc Faculty Committee on IT Privacy met last spring on a wide variety of information security issues and affirmed the importance of encrypting employee computers used for Stanford activities. When these systems are lost or stolen, it often leads to months of follow-up and remediation effort that could have easily been prevented if the systems had been encrypted. More than 16,000 University employee laptops and desktops are already encrypted (thank you!) via the Stanford Whole Disk Encryption (SWDE) service, which turns on the built-in encryption capabilities of both Macintosh and Windows computers. SWDE includes the University's systems management utility called BigFix, which also periodically verifies encryption status and collects other information regarding the device.

On rare occasions during the encryption process, we have seen disk failures occur. For this reason, as well as being a general best practice, you are strongly encouraged to back up your files before starting to encrypt. CrashPlan PROe provided by University IT is the recommended backup service and is widely used within Stanford, but your local IT group may provide other options. CrashPlan encrypts your backups for secure storage and also provides the option of setting a secondary password to ensure that only you can restore the files. 

For encrypting your computer, there are currently three options:

  1. To make rapid progress toward the May 31, 2015 deadline, we are presently focused on encrypting the more than 15,000 computers with BigFix already installed that have native encryption capability but are not yet encrypted. For those SWDE-ready computers, users will soon be requested to initiate the encryption process, beginning with a short "(Stanford Device Identification") questionnaire that will appear on the screen as early as Aug. 12, 2014. In the subsequent days or weeks, the SWDE installer will ask to initiate encryption, which can be postponed until a convenient time. Campus IT support staff are familiar with the SWDE installation process and will assist as needed.
  2. Users can download and run the SWDE installer at any time on their systems. SWDE will begin by checking the operating system and hardware configuration and will indicate if any update is needed. 
  3. For those who would like to encrypt now without using BigFix or SWDE, you have the option of checking to see if your system is encryption-ready and activating the native encryption on your own. As a reminder, we strongly recommend backing up your files prior to encrypting.

On Macintosh systems, native encryption is entirely transparent once enabled. On Windows systems, the only noticeable difference will be the need to enter another password of your choosing upon booting. Some older Macintosh and Windows systems may need to be upgraded to be encryption-capable, and your local IT staff can help you in those cases. The Information Security Office has a process for you to request an exception from the encryption requirement for research computers that are not yet capable of efficient encryption. 

In the coming months, further communications about the University's encryption initiative will be sent, and utilities will be made available to easily attest the encryption statuses of your computers. More information about encryption is available at, and help is available by submitting a HelpSU request. I urge you to encrypt soon as a supplement to the other information security best practices we have been recommending, including regularly patching your operating system and applications, backing up your fileschoosing strong passwords and remaining vigilant for phishing attempts. Thank you for your continuing partnership in these efforts to protect Stanford's data as well as your personal information.

Kind regards,

Michael Duff
Chief Information Security Officer

Stanford ID cards get new look

July 30, 2014

New look for Stanford ID cards

Effective Aug. 1, the university will begin issuing Stanford ID cards with a new look. While the change will not affect those with existing cards, IDs issued to new employees and new students arriving this fall will look distinctively different. The changes have been made to ensure that the cards conform to Stanford's updated wordmark and visual identity system.

“Because this card appears slightly different from existing cards, we would like to make sure all campus departments and services are aware of the change, to limit confusion over the legitimacy of the new cards,” said Jay Kohn, director of card services.

For those who are eligible for the Go Pass, the new design accommodates space on the front of the card for that sticker.

ID cards with the old design remain in effect unless the card is lost or stolen. Replacement cards will continue to cost $20. When a replacement card is issued, it will reflect the new design.

ID Cards are issued by the Campus Card Office. For more information, visit the Campus Card Services website or call (650) 498-CARD or (8-2273).

Is Stanford Affected by Heartbleed?

April 17, 2014

The Internet is abuzz with news of the "Heartbleed" bug that affected the security of the majority of web servers in the world, as well as other computer systems that rely on OpenSSL code. This bug is serious, but its immediate impact at Stanford is not cause for alarm.

Apple Update Required for OSX and iOS

March 31, 2014

Apple Inc. has released updates for Mac OSX 10.7, 10.8, and 10.9 to address a critical security problem. Stanford's Information Security Office recommends that you update your Mac OSX systems and iPhones, iPads, and iPod Touch devices as soon as possible to protect your personal privacy and security, as well as to protect the university's data.

On April 4, 2014, Mac OSX systems that are not up-to-date will have the update pushed to them automatically. Please restart the system to complete the installation. For instructions and additional information, visit the Secure Computing web site.

On April 14, 2014, compliance rules in MDM will be updated to no longer allow insecure versions of iOS 6 and iOS 7. Please update your device today.

For more information, go to

Urgent Update to iOS

February 24, 2014

Apple has issued a security update for all iOS devices including the iPhone and iPad. IT Services recommends that you apply this update. First, back up your device using iCloud or iTunes. Then go to Settings>General>Software Update and download and install to update your device.

Faculty Committe Formed to Discuss Information Security

February 13, 2014

Vice President for Business Affairs Randy Livingston announces the formation of a faculty committee to assess the information security challenges facing Stanford and help chart institutional strategies for addressing them. Several elements of the information security mandates announced on Jan. 15 for Stanford employees will be suspended in the meantime.

Dear Colleagues:

On Jan. 15, I sent you a communication outlining new information security mandates for University employees. Since that time I have heard from a number of faculty expressing their concerns about the potential impact of the mandates on individual privacy and research productivity. While all of us share the goal of containing and mitigating information security risks, we want to respect and protect individual privacy, and avoid impairing the University's research efforts.

On Feb. 11, I met with the Faculty Senate Steering Committee to discuss faculty concerns. I proposed formation of a special faculty committee to assess the information security and privacy challenges facing Stanford, help chart an institutional strategy that reflects the diverse needs of University stakeholders, and partner with the administration in revising the mandates. The faculty committee will be formed within the next two weeks and will be led by Andy Fire, Professor of Pathology and Genetics, and co-chaired by David Palumbo-Liu, Professor of Comparative Literature and English, who are also members of the Faculty Senate Steering Committee.

While the committee undertakes its review, all agree that we should suspend several elements of the mandates as described below:

1. Windows XP - The mandate to migrate from Windows XP laptops and desktops will be suspended for devices that manage scientific instruments or run unique software applications that cannot be easily upgraded. The April 8 deadline will remain for laptops and desktops used as standard business systems.

2. BigFix - The deadline for installation of BigFix will be suspended for systems that do not store or access personally identifiable information (PII), such as Social Security and credit card numbers or protected health information (PHI). BigFix must be installed on University and personally owned systems that store or can access PII/PHI no later than May 28.

3. Identity Finder (IDF) - This tool, which scans computer files to identify PII that a user may have downloaded unwittingly, will not be used except with specific consent of the individual whose files are being scanned.

4. Encryption - The requirement to encrypt laptop and desktop devices will remain with the following deadlines:

  1. New University-owned laptops and desktops must be encrypted immediately following purchase.
  2. SWDE encryption must be in place on all University-owned and personally owned devices that store or can access PHI in any manner by Feb. 28.
  3. SWDE must be in place on all devices storing more than 500 PII records by July 31, and with more than 10 PII records by Nov. 30. PII belonging to the device user and family members, such as would be found on copies of an individual's tax return, will not be counted under this requirement.
  4. With the exceptions of the devices that manage scientific instruments without PHI/PII, we will pursue a goal of having encryption in place on all laptops and desktops by May 31, 2015.

5. Encryption for Mobile Devices - The requirement to install Mobile Device Manager (MDM) is suspended for those individuals with no access to PHI. However, for those with access to PHI, the original mandate to install MDM on University-owned and personally owned mobile devices by Feb. 28 will remain.

6. File Backup - Frequent and secure file backup is highly recommended for all systems and all members of the Stanford community. We are suspending the requirement to use a University or department managed file backup service, but these services remain available to all members of the Stanford community.

Once the faculty committee is formed, we will communicate its membership and encourage all of you to provide input to them.

We also will be issuing additional communications soon providing tips for maximizing your own computer security and answering common questions we have been receiving from the Stanford community. Strengthening our information security is an imperative for the University, but we intend to do so in a manner that is consultative and using transition processes that are as simple as possible for everyone to implement. Thank you for your partnership in these efforts.


Randy Livingston
Vice President for Business Affairs

New Security Requirements for University Employees

January 15, 2014

In a letter to the Stanford community, below, Vice President for Business Affairs Randy Livingston provides an update on information security at Stanford and outlines new requirements for University employees. Deadlines are provided for implementing each of the new requirements.

Dear Colleagues:

Over the past several months, we have undertaken several initiatives to improve the security of Stanford's IT environment and protect the privacy of information stored on our systems. Thank you for your support in changing passwords and adopting two-step authentication.

To further improve information security and privacy, we will be requiring several additional steps for all University employees. These requirements apply to all University-owned laptops, desktops, smartphones, and tablets ("devices"); personally owned devices used on the Stanford Network; and personally owned devices that could be used to access Protected Health Information (PHI) or other High Risk Data. Other personally owned devices used at home or on the wireless Stanford Visitor network are encouraged to follow these mandates, but not required to at this time. Your organization may impose additional security requirements that you are required to follow. Exceptions to the mandated requirements are outlined at the end of this communication.

  1. Windows XP Migration - Windows XP will no longer be supported by Microsoft after April 2014, and as a result, represents a significant security vulnerability. Approximately 2,500 Windows XP systems are currently used by University employees. Employees with Windows XP laptops or desktops must migrate to Windows 7 Enterprise or Ultimate, or Windows 8 Pro or Enterprise no later than April 8, 2014. The University now has a site-wide license with Microsoft whereby employees can download the latest operation system and application versions at no cost.
  2. BigFix - BigFix is a program that ensures operating systems and other applications are patched with the latest security updates. More than 80 percent of employee laptops and desktops already have BigFix installed. All desktop and laptop computers are required to have BigFix installed no later than May 31, 2014. BigFix can be downloaded from the IT Services website and installed directly by any Stanford employee.
  3. Identity Finder - IDF is a program managed by BigFix that scans your computer files for personally identifiable information (PII) such as Social Security numbers and credit card numbers, and provides you or your IT support team with a report that allows you to delete PII that is unneeded. In a broad pilot program last spring, 15 percent of scanned systems had more than 500 PII records, and an additional 15 percent had between 100 and 500 records. Starting on Feb. 28, 2014, BigFix will install IDF and occasionally run in the background on your system, similar to a virus scan or file backup. No action is required on your part to run the program, but you will be notified if PII is found on your system, and you should then delete unnecessary files. Your technical support team will be able to assist you to ensure permanent deletion.
  4. Encryption - All laptop, desktop, and mobile devices must be encrypted. If a device is lost or stolen, encryption ensures that a third party cannot access protected information, such as PII or Protected Health Information (PHI) that may be stored on the device. In addition, it provides the University a "safe harbor" with respect to legal requirements to report a breach of information stored on the device. We have learned that a stolen device may be determined after the fact to have PII/PHI even when the user believed there was none. Given this understanding, and the high incidence of PII found by IDF scans, we are requiring all devices to be encrypted with the following deadlines:
    1. All new laptops and desktops purchased with University funds must be native encryption capable and install Stanford's Whole Disk Encryption (SWDE) service immediately. Operating systems supporting native encryption currently are: Mac OS X 10.7 or later, Windows 7 Enterprise or Ultimate (TPM chip required), or Windows 8 Pro or Enterprise. Replaced systems must be relinquished upon receiving the new one.
    2. All iOS and Android mobile devices must install Mobile Device Manager (MDM) to encrypt the device no later than Feb. 28, 2014.
    3. All laptops and desktops that store or can access PHI in any manner must install SWDE no later than Feb. 28, 2014.
    4. All remaining laptops and desktops will be required to install SWDE by a specified date based on the number of PII records found by IDF. Systems with more than 500 PII records must install SWDE by July 31, 2014; systems with more than 10 PII records must install SWDE by Nov. 30, 2014; and all remaining systems must install SWDE by May 31, 2015.
  5. File Backup - All documents, files, and custom programs relating to University activity must be backed up on a regular basis by a University or department managed service. File backup capability should be in place before SWDE is installed, and must be implemented for all devices no later than May 31, 2015. Stanford laptops and desktops typically store many years of important work products and enable our daily work. When devices are lost, stolen, or otherwise compromised, critical data can be irretrievably lost. When they are backed up, lost data can be readily recovered.

Your technical teams will receive additional details to aid in the implementation of these requirements by the dates specified below. In some instances your School or Department may have established earlier deadlines for completing the tasks outlined in this memo. Further communication will be forthcoming to department IT groups regarding security requirements for servers, and to student and postdoc populations regarding requirements for their devices.

Mandate Deadline Summary

File Backup Prior to Encryption
Encryption — New Laptops/Desktops Today
Encryption — Mobile Devices Feb. 28, 2014
Encryption — Existing Laptops/Desktops that Store/Access PHI Feb. 28, 2014
Identity Finder Scans — All Laptops/Desktops with BigFix Installed Feb. 28, 2014
Windows XP Migration April 8, 2014
BigFix Installation — All Laptops/Desktops May 31, 2014
Encryption — Existing Laptops/Desktops with >500 IDF Records July 31, 2014
Encryption — Existing Laptops/Desktops with >10 IDF Records Nov. 30, 2014
Encryption — All Laptops/Desktops May 31, 2015

EXCEPTIONS - A handful of laptop and desktop devices are used for complex computation purposes where these management tools might interfere with their effective operation. In addition, some devices are used to control scientific instruments and cannot be upgraded at this time. For these situations, you should request an exception. In addition, Linux systems, BlackBerry mobile devices, and Windows Phones are temporarily exempted until SWDE and MDM are available for these platforms. Until they are available, these devices should not be used to store, process, or transmit PHI or other High Risk Data without a formal exception.

Thank you for the steps that you and your organizations have already taken to increase our security standards. I appreciate your understanding and cooperation as we work together to protect both University data and personal information through the implementation of these best practices.

Randy Livingston
Vice President for Business Affairs

Winter Close Information for IT Services Clients

December 19, 2013

Stanford University has decided to suspend operations, where feasible, during the winter holiday season. In support of this decision, most groups within IT Services will be closed from end of day Friday, December 20, 2013 through Friday, January 3, 2014. Normal business operations will resume on Monday, January 6, 2014 at 8 a.m.

Services to both hospitals and the clinics (SHC and LPCH) will continue as normal during this time, and staff will be available to provide the expected levels of support.

The majority of IT Services offices will be closed. A small number of staff will be on hand to support university offices that must remain open. These staff members will provide operator services, monitor and support critical applications, process high-priority service orders, and provide priority response to urgent HelpSU requests. Please note: You may experience longer-than-normal response times during this period.

For University departments needing work orders to be completed before winter close, please submit your request no later than December 9, 2013 for Data Center orders or December 11, 2013 for telephone orders. We will make every effort to complete orders received by those date on or before December 20, 2013. Orders received after those date may not be completed until on or after January 6, 2014.

Complete details regarding IT Services support and staffing plans during winter close are available at:

Activating Two-Step Authentication

September 24, 2013

In a letter to the Stanford community, below, Vice President for Business Affairs and Chief Financial Officer Randy Livingston provides an update on information security at Stanford and announces that two-step authentication will be required for SUNet users. The process allows users to choose one of three methods -- a printed list of codes, text messaging, or a smartphone app -- to provide a second level of identity verification when logging into Stanford systems.

Members of the Stanford Community:

I am writing to notify you of additional steps to enhance the security of Stanford’s information systems and protect against the pervasive threat of online attacks. In addition to the initial password changes we required over the summer, we now ask all University community members with a SUNet ID to activate two-step authentication, a simple and highly effective security mechanism already adopted by many organizations.

Starting this Thursday, we will begin requiring anyone with a SUNet ID to have two-step authentication enabled in order to access web-based services. The community will be added on a rolling basis, so your prompt to enroll may occur anytime over the next several weeks. Already more than 10,000 SUNet ID account holders have voluntarily elected to use this enhanced security.

Two-step authentication substantially reduces the ability of would-be intruders to access your account by requiring a second login code in addition to your password. Commonly, this is a random numerical code generated by a smartphone application or sent via text message to your phone. You will be prompted for this extra code at least once a month for each computing device and browser that you use.

I encourage you to go to the Accounts page and enroll now, if you have not already. Once at the Accounts page, click “Manage,” then click “Two-Step Auth” and follow the instructions.

We will be taking additional measures over the next few months to further safeguard our information systems. Your technical support teams and University IT will be working with all campus units to upgrade or replace older Windows XP operating systems and to encrypt all employee laptops and mobile devices. We also intend to require longer or more complex passwords.

I will continue to provide updates on our progress. Thank you for your understanding and cooperation as we work together to protect both University data and personal information through the implementation of these information security best practices.


Randy Livingston
Vice President for Business Affairs
Chief Financial Officer

Update on Attack of Stanford's IT Systems

August 19, 2013

In a letter to the Stanford community, Vice President for Business Affairs and Chief Financial Officer Randy Livingston provides an update on the recent breach of Stanford's information technology systems and offers recommendations for maximizing one's own computer security.

Members of the Stanford Community:

I’m writing to you today to outline steps that the University is considering to make our network more secure in light of the attack on Stanford’s information systems infrastructure that occurred last month.


In late July, Stanford discovered that an unauthorized party or parties gained access to a portion of its information systems infrastructure. The attack appears to have been launched from an overseas location and was similar to foreign state-sponsored attacks reported in recent months by many large organizations in the United States. The purpose of the attack remains unclear, although data security experts suggest that these kinds of attacks are aimed at capturing intellectual property that could have commercial and economic value to the intruders' country. The intruders may also be interested in tracking activities of their overseas citizens. Universities are increasingly the focus of these intrusions, as reported by The New York Times in its July 16 article, “Universities Face a Rising Barrage of Cyberattacks.”

Upon discovery of the attack, as a security measure we sent a notification to all employees and students directing them to immediately change their passwords. While our investigation is continuing, we believe the attackers gained access to all Stanford SUNet ID account usernames and a “hashed” version of the passwords. The hashing algorithm converts a password into a different string of characters. While this hashing of passwords disguises the original password, hackers have the capacity to decipher simpler and shorter passwords. Though Stanford has no evidence that the hashed versions of the passwords were deciphered, Stanford is notifying all SUNet ID account holders of that possibility.

At the present time, we have no evidence that personal information — other than usernames and hashed passwords — has been accessed, but this is an ongoing process and we are continuing to investigate. Stanford has retained experts to assist us in this investigation, and we continue to work with law enforcement as well. As the Times and others have pointed out, cyber-intruders are persistent in their attempts to gain access to information systems and are very good at covering their tracks. We will continue to update the community and take action as information develops.

New security measures underway

To better protect Stanford assets and our information — including University data as well as personal information — additional security protections are being adopted to meet the ever-increasing threats of attacks. These safeguards will result in some inconvenience to users, but please be assured they are being implemented to improve our overall security.

One of the first measures will be to implement two-step authentication. When logging into certain Stanford applications like Axess or Oracle, in addition to their user names and passwords, users will need to input a second factor or means of identification. Users can learn more about two-step authentication and voluntarily begin using it by going to the Accounts page on the Stanford website. Click “Manage,” then click “Two-Step Auth” and follow the instructions. To date, more than 3,000 SUNet account holders have begun using this security feature. In the coming weeks, two-step authentication will become mandatory for accessing certain critical applications.

In addition to two-step authentication, Stanford is also taking steps to improve and enhance the security of its core infrastructure systems.

It is important to recognize that the hackers of today are very sophisticated. We cannot assume that new procedures, passwords, and security enhancements fully eliminate their continued presence. It may take several iterations of security improvements over some period of time to regain confidence in the security of the network.

Cooperation from users is essential

While we have no evidence that personal information — other than usernames and hashed passwords — has been accessed, the University is encouraging all users of Stanford’s computer network to be increasingly vigilant regarding their online activities. Cooperation from the University community will be essential, and everyone — staff, students, and faculty — will need to take more personal responsibility for the security of user devices and confidential information.

Users should, at a minimum, take the following steps to protect themselves and the University:

  • Change passwords regularly, both for University connectivity and for personal use — financial, health, etc. For any personal accounts, use passwords  that are different from your SUNet password.
  • Follow protocols to make passwords more difficult for an unauthorized user to determine, including using capital and lower case letters as well as numbers and symbols. The longer and more complex the password, the safer it is.
  • Be aware of efforts by outside parties to gain access to passwords and personal identification information. This begins with understanding and recognizing “phishing” attempts. A phishing attack is the practice of attempting to obtain your user name and password or other confidential information, typically by sending an email that looks as if it is from a legitimate organization but contains a link to a fake website that replicates the real one. Phishing attacks have been increasing and are more sophisticated than ever.
  • Turn on the native encryption capability provided by recent versions of Mac OS X (versions 10.7 and newer) and Windows 7 (Ultimate or Enterprise edition) or Windows 8 (Professional or Enterprise edition) and through Mobile Device Manager (MDM) for iOS devices (versions 5.1 and newer) and compatible Android devices (Android OS version 4.0 and newer). Talk to your department’s IT contact for guidance as to the procedure for turning on that capability.
  • View the information security awareness video on the Accounts site referenced earlier.

As many employees have multiple devices that are linked into the Stanford system, use best practices for securing not only your University-issued devices but also your home computer and personal mobile devices.

Moving forward

Further investigatory work — systems diagnostics, intensive activity monitoring, and working with law enforcement — is helping us understand more specific details of the attack on our system. Much of this work must remain confidential as it is helping to identify further steps that the University can take to protect and ensure the security of its systems and data.

As has been the case with other organizations that have experienced similar intrusions, efforts to ensure that Stanford’s infrastructure is free from compromise will be measured not in days or weeks but in months. The sophistication and persistence of these kinds of intrusions, combined with the complexity of the University’s data and information systems, create challenges that make the securing of those systems a painstaking process.

Thank you for your support and understanding. We will keep you updated on our progress.


Randy Livingston
Vice President for Business Affairs
Chief Financial Officer

Please Update Your Password!

July 25, 2013

As a precautionary measure in the wake of an apparent breach in its IT infrastructure, Stanford University is asking all SUNet ID holders to update their passwords. Go to and click Manage, then select Change Password. We also encourage your to turn on Two-Step Authentication, available on the same page on the Two-Step Auth tab. This will require a single-use code in addition to your password for access to campus systems. Also, please be vigilant for unusual activity in systems that may signal unauthorized access. The investigation is ongoing and we will keep you updated as new information is available.

TIPS Celebrates 25 Years on July 10

July 8, 2013

The Team for Improving Productivity at Stanford (TIPS), coordinated by IT Services, is celebrating its 25 year anniversary.  Join us for the celebration on July 10 at 9am in Paul Brest Hall!  For more information, visit:

AFS Quotas Have Increased!

January 26, 2013

AFS disk quota has increased to meet campus needs. Individual user quota went from 2 to 5 GB, group quota from 500 MB to 4 GB, department quota from 2 to 4 GB, and class quota from 1 to 2 GB.

Learn More About the New OrderIT

December 19, 2012

The New OrderIT was launched on December 3rd and is available to all current OrderIT users. The December 14th Tech Briefing was recorded to give you everything you need to know about the new ordering portal.