As you are all aware, information security remains a shared concern and plays an important part in protecting university assets and personal privacy. To strengthen this protection, in January 2014 the university established a requirement to verifiably encrypt all employee Windows and Macintosh laptops/desktops used on the campus network by May 31, 2015 (with limited exceptions for special research equipment). More than 24,000 of these computers are now encrypted, and I deeply appreciate your participation in this effort.
The theft and loss of devices has been (and will continue to be) a common occurrence, and if these devices are not encrypted, the consequences to the university can be highly time consuming and expensive. Fortunately, modern encryption technology provides robust protection for both Stanford data and personal information, with virtually no downside.
We are now entering the next phase of the encryption initiative where we are: 1) requiring verifiable encryption of Apple and Android mobile devices that are used by employees on the campus network; and 2) restricting access to the campus network from unencrypted laptops, desktops, and mobile devices that are subject to the requirements. This phase will be rolled out over the next few months. With more than 12,000 employee mobile devices already verifiably encrypted using AirWatch (Stanford's mobile device security solution), we are well on the way to completion on the mobile front.
What should you do first?
As an important first step, please visit our new "My Devices" website (mydevices.stanford.edu) to see a list of the computers that Stanford's records indicate are currently associated with you, along with their compliance statuses. If you see a device that is no longer in use or no longer associated with you, simply click the "Remove" button. You can find more information about each device by clicking on the link in the Model column.
What happens next?
On October 20, we will begin a rolling deployment of the mobile device encryption requirement and the unencrypted laptop/desktop/mobile device network restrictions, progressively including all employees over several months. When your time comes, we will notify you by email, and you will have a 30-day grace period to encrypt any non-compliant devices. A 30-day grace period also applies to any new devices as well as those that fall out of compliance. We will send you weekly reminders listing these non-compliant devices and the remaining grace period days for each. The emails will refer you to My Devices and our Encryption website (encrypt.stanford.edu) for instructions explaining what to do and how to get help if needed.
What's not new?
Visitors to Stanford and employees with personal devices not used for Stanford business can use the guest wireless network without having to meet the encryption requirements. Meanwhile, the long-standing University policy to verifiably encrypt all devices storing HIPAA and other High Risk data (dataclass.stanford.edu), regardless of ownership or where they are used, remains unchanged. In special cases where specific research computing systems cannot be encrypted and no High Risk data is involved, exceptions can be requested.
The tools provided to assist you in the encryption process and subsequently periodically verify the compliance status of your devices have long been in use at Stanford, and we are committed to full transparency regarding the operation of these systems. VLRE, one of the newer tools developed in-house, is an encryption verification option for laptops and desktops where High Risk data is not involved. To validate its functionality, the source code was reviewed by Stanford's Computer Science department. You can find information about what data is collected by SWDE/BigFix at itservices.stanford.edu/service/bigfix/retrieved_properties, VLRE at itservices.stanford.edu/service/vlre/privacy, and AirWatch at itservices.stanford.edu/service/mobiledevice/management/privacy. We specifically do not collect user content (email, calendar events, contacts, instant messages, personal files, etc), passwords, or GPS location information from devices using these tools.
Where can you find more information?
Your starting point for information security is security.stanford.edu, where you can quickly find links to the My Devices and Encryption websites along with a copy of this memo.
Thank you for supporting this important privacy and security initiative.
VP of Business Affairs