Skip to content Skip to navigation

Security Requirements Questions and Answers

Q: Where can I find more general information about the Information Security Mandates communicated to faculty and staff on 1/16/2014?

A: Start at

Q: I heard that Microsoft is extending the Windows XP date. Does that mean that we have more time for the migration off of XP computers?

A: No. Microsoft’s date for end of support for the operating system remains April 8, 2014. After this date, Windows XP will no longer be a supported operating system. As stated in the January 16th email, Windows XP computers must be migrated by April 8, 2014.

Q: I sometimes work from home, and I have no access to Protected Health Information (PHI) or other Restricted and Prohibited data. Must I encrypt my personally-owned home computer, or install the mandated security software?

A: No. If your device is not owned by Stanford, does not have access to PHI or other Restricted or Prohibited data, and is not used on the Stanford Network, it is exempt. For information on what falls into these data categories, see Stanford’s data classification guidelines.

Q: Does using Stanford’s VPN to work remotely mean I’m using my computer on the Stanford Network?

A: Yes.

Q: My personally-owned computer has my family’s medical records. Do these mandates apply to me?

A: For the purpose of this mandate, the University is not concerned with the handling of your own personal medical information. You should, however, consider encrypting and protecting your own data, like any information of high value. For more information on Protected Health Information, see

Q: What backup services are approved as University or department services?

A: The service must be managed by a University-wide or departmental IT organization and, if any data are being stored external to Stanford, must meet Stanford’s standards for vendor safeguards. Users are advised to refer to data handling policies on the Administrative Guide and to the requirements for third-party vendors.

Q: Is the Visitor Network considered to be the same as the Guest Network?

A: Yes, the Stanford Visitor wireless network is the same as the Guest Network.

Q: How do I get an exception approved?

A: Stanford’s Information Security Office will be handling exception requests. Follow the the “Request a Compliance Variance” link from the Secure Computing website.

Q: How do I get help with my XP migration?

A: Contact your local IT support group.

Q: Windows 7 requires a TPM chip for whole disk encryption. What’s a TPM chip?

A: TPM stands for Trusted Platform Module. It’s security-related hardware built into the motherboard of some new systems. TPM is required for Windows 7 Enterprise or Ultimate, and optional for Windows 8. Apple does not use TPM. If you intend to use Windows 7, check with the manufacturer before you purchase to make sure TPM is included or can be added separately. Visit the IT Services Laptop and Desktop Recommendation page for purchasing options.

Q: What changes will be made to my computer when I enable Stanford Whole Disk Encryption?

A: Stanford Whole Disk Encryption (SWDE) will install BigFix and Stanford Anti-Malware, if missing. In addition to encrypting your disk, a number of other system changes will be made during installation. Visit (Windows) and (OS X) for current information.

Q: Will whole disk encryption slow down my computer?

A: SWDE protection is generally imperceptible. Some users with older computers may notice a minor impact. See for more information.

Q: How long does it take to encrypt my computer? Can I continue to use my computer while it’s encrypting? Will I have to forfeit my computer?

A: There is no single answer, since each unit will determine its strategy for encrypting computers, and may ask to have machines temporarily handed to IT support staff for encryption. Generally, the encryption process itself takes a couple hours, and users can work on their machines while it’s encrypting. However, factors such as age and hard drive capacity will influence the duration.

Q: What if I run an application that may not be compatible with the latest patches? Does BigFix allow me some level of control?

A: BigFix is a centrally-provided service that is managed by local console operators across the University. If you have special requirements, contact your local IT support or submit a HelpSU ticket to be put in touch with your console operator. For information on BigFix, see:

Q: Do I need to install BigFix on servers? What about public access terminals, kiosks and lab machines?

A: The current policy does not cover servers, but does cover all desktop and laptop computers.

Q: What is the process to encrypt my device? How do I get help?

A: You can find information and help with Stanford’s Whole Disk Encryption program at:

Q: How will I be notified if I have more than 500 PII records?

A: Identity Finder (IDF) is the tool we’ll use to identify PII. Read more information about IDF.

Q: How often will the IDF scan run automatically?

A: Once every six months. It works incrementally and will only scan new or changed files. It will not rescan the entire drive.

Q: Can the process be paused or stopped when it is running automatically?

A: You can force quit or end task to stop Identity Finder when it is running an automatic scan. When running the scan manually, you can pause at any time via the interface, but this does not display during an automated scan.

Q: Are there still outstanding issues with IDF taking too many resources and scanning network drives?

A: These have been largely mitigated in the current configuration, especially for Macs. One other thing to note is that running IDF on all of the virtual machines on a server at the same time is likely to cause load problems. The Big Fix console operator should take this into account when those machines are doing their scans.

Q: How do I determine if my device can access PHI data?

A: If you have authority to access PHI, or Restricted or Prohibited data, then your device can access this information.

Q: Is there a financial impact to my group to implement these mandates? If yes, what are the costs?

There may be local financial impact; the level of that impact is dependent on many factors. It is imperative that there be reliable backups in place prior to any upgrade or migration. If new hardware needs to be deployed, there is the cost of hardware devices, software and related support.

Q: If my device is already enrolled in MDM, do I need to do anything now to update my enrollment?

A: No, if your device is enrolled, you don’t have to take any further actions now. You can check your enrollment at

Q: Will using MDM slow down my mobile device?

No, there should be no performance impact once you have completed enrollment in the mobile device management program.

Q: Will using MDM reduce the battery life on my mobile device?

No, in general, MDM only checks in once a day and uses less power than sending a single text message.

Q: How will using MDM change my iOS device?

You will be required to have a passcode that is at least 4-digits long. You can choose how often that passcode is required in Settings>General>Passcode Lock>Require Passcode. Most other changes are invisible. For more information, go to

Q: How will MDM change my Android device?

A: Your Android device will be required to have a 4-digit passcode and be encrypted. Encryption is a one-time process and can take up to one hour. You will not be able to use your device while it is being encrypted, so please choose a time when it can remain plugged in and left for that time.

Once encrypted, SD cards associated with the device are also encrypted and can only be used with the device.

For users with a Samsung device, a 6 character alpha numeric passcode is required by your hardware manufacturer prior to completing encryption.

For more information, go to