In a letter to the Stanford community, below, Vice President for Business Affairs Randy Livingston provides an update on information security at Stanford and outlines new requirements for University employees. Deadlines are provided for implementing each of the new requirements.
Over the past several months, we have undertaken several initiatives to improve the security of Stanford's IT environment and protect the privacy of information stored on our systems. Thank you for your support in changing passwords and adopting two-step authentication.
To further improve information security and privacy, we will be requiring several additional steps for all University employees. These requirements apply to all University-owned laptops, desktops, smartphones, and tablets ("devices"); personally owned devices used on the Stanford Network; and personally owned devices that could be used to access Protected Health Information (PHI) or other High Risk Data. Other personally owned devices used at home or on the wireless Stanford Visitor network are encouraged to follow these mandates, but not required to at this time. Your organization may impose additional security requirements that you are required to follow. Exceptions to the mandated requirements are outlined at the end of this communication.
- Windows XP Migration - Windows XP will no longer be supported by Microsoft after April 2014, and as a result, represents a significant security vulnerability. Approximately 2,500 Windows XP systems are currently used by University employees. Employees with Windows XP laptops or desktops must migrate to Windows 7 Enterprise or Ultimate, or Windows 8 Pro or Enterprise no later than April 8, 2014. The University now has a site-wide license with Microsoft whereby employees can download the latest operation system and application versions at no cost.
- BigFix - BigFix is a program that ensures operating systems and other applications are patched with the latest security updates. More than 80 percent of employee laptops and desktops already have BigFix installed. All desktop and laptop computers are required to have BigFix installed no later than May 31, 2014. BigFix can be downloaded from the IT Services website and installed directly by any Stanford employee.
- Identity Finder - IDF is a program managed by BigFix that scans your computer files for personally identifiable information (PII) such as Social Security numbers and credit card numbers, and provides you or your IT support team with a report that allows you to delete PII that is unneeded. In a broad pilot program last spring, 15 percent of scanned systems had more than 500 PII records, and an additional 15 percent had between 100 and 500 records. Starting on Feb. 28, 2014, BigFix will install IDF and occasionally run in the background on your system, similar to a virus scan or file backup. No action is required on your part to run the program, but you will be notified if PII is found on your system, and you should then delete unnecessary files. Your technical support team will be able to assist you to ensure permanent deletion.
- Encryption - All laptop, desktop, and mobile devices must be encrypted. If a device is lost or stolen, encryption ensures that a third party cannot access protected information, such as PII or Protected Health Information (PHI) that may be stored on the device. In addition, it provides the University a "safe harbor" with respect to legal requirements to report a breach of information stored on the device. We have learned that a stolen device may be determined after the fact to have PII/PHI even when the user believed there was none. Given this understanding, and the high incidence of PII found by IDF scans, we are requiring all devices to be encrypted with the following deadlines:
- All new laptops and desktops purchased with University funds must be native encryption capable and install Stanford's Whole Disk Encryption (SWDE) service immediately. Operating systems supporting native encryption currently are: Mac OS X 10.7 or later, Windows 7 Enterprise or Ultimate (TPM chip required), or Windows 8 Pro or Enterprise. Replaced systems must be relinquished upon receiving the new one.
- All iOS and Android mobile devices must install Mobile Device Manager (MDM) to encrypt the device no later than Feb. 28, 2014.
- All laptops and desktops that store or can access PHI in any manner must install SWDE no later than Feb. 28, 2014.
- All remaining laptops and desktops will be required to install SWDE by a specified date based on the number of PII records found by IDF. Systems with more than 500 PII records must install SWDE by July 31, 2014; systems with more than 10 PII records must install SWDE by Nov. 30, 2014; and all remaining systems must install SWDE by May 31, 2015.
- File Backup - All documents, files, and custom programs relating to University activity must be backed up on a regular basis by a University or department managed service. File backup capability should be in place before SWDE is installed, and must be implemented for all devices no later than May 31, 2015. Stanford laptops and desktops typically store many years of important work products and enable our daily work. When devices are lost, stolen, or otherwise compromised, critical data can be irretrievably lost. When they are backed up, lost data can be readily recovered.
Your technical teams will receive additional details to aid in the implementation of these requirements by the dates specified below. In some instances your School or Department may have established earlier deadlines for completing the tasks outlined in this memo. Further communication will be forthcoming to department IT groups regarding security requirements for servers, and to student and postdoc populations regarding requirements for their devices.
Mandate Deadline Summary
|File Backup||Prior to Encryption|
|Encryption — New Laptops/Desktops||Today|
|Encryption — Mobile Devices||Feb. 28, 2014|
|Encryption — Existing Laptops/Desktops that Store/Access PHI||Feb. 28, 2014|
|Identity Finder Scans — All Laptops/Desktops with BigFix Installed||Feb. 28, 2014|
|Windows XP Migration||April 8, 2014|
|BigFix Installation — All Laptops/Desktops||May 31, 2014|
|Encryption — Existing Laptops/Desktops with >500 IDF Records||July 31, 2014|
|Encryption — Existing Laptops/Desktops with >10 IDF Records||Nov. 30, 2014|
|Encryption — All Laptops/Desktops||May 31, 2015|
EXCEPTIONS - A handful of laptop and desktop devices are used for complex computation purposes where these management tools might interfere with their effective operation. In addition, some devices are used to control scientific instruments and cannot be upgraded at this time. For these situations, you should request an exception. In addition, Linux systems, BlackBerry mobile devices, and Windows Phones are temporarily exempted until SWDE and MDM are available for these platforms. Until they are available, these devices should not be used to store, process, or transmit PHI or other High Risk Data without a formal exception.
Thank you for the steps that you and your organizations have already taken to increase our security standards. I appreciate your understanding and cooperation as we work together to protect both University data and personal information through the implementation of these best practices.
Vice President for Business Affairs