Endpoint Compliance
Stanford's data needs protection wherever it goes. University computing equipment and other endpoint devices used for sensitive Stanford business — including computers, smartphones, and tablets — must be configured to provide that protection.
Endpoint Compliance Rules
- All devices must have operating systems that are supported by the vendor with security updates. In particular, systems running Windows XP must be upgraded to a newer OS, as Microsoft discontinued support in April 2014. (Although Microsoft has extended support for its anti-malware signatures for an additional 15 months, the core Windows XP operating system will not receive security updates.) This requirement is suspended for devices that manage scientific instruments or run unique software applications that cannot be easily upgraded.
- All endpoints that store, process or transmit Prohibited or Restricted Data — including Protected Health Information (PHI) — must be managed and encrypted.
- All new Stanford-owned laptops and desktops must be encrypted.
- Endpoint management must be accomplished via Stanford Mobile Device Management (MDM) or BigFix.
- These are minimum requirements for all of Stanford. Any additional requirements of individual departments or organizations still apply.
Do I have to comply?
All University employees must comply with these requirements. They apply to all University-owned laptops, desktops, smartphones and tablets ("devices"), personally-owned devices used on the Stanford Network, and personally-owned devices that could be used to access Protected Health Information (PHI) or other Restricted or Prohibited Data.
Support for backup, management, and encryption of endpoints is available to all Stanford affiliates, so you can take advantage of it even if your role or device does not require it.
How do I comply?
CrashPlan, a managed file backup service for all laptops and desktops, is available to your department from IT Services.
The university provides Stanford Mobile Device Management (MDM) for smartphones and tablets and Stanford Whole Disk Encryption (SWDE) for laptop and desktop computers. If your device is subject to the rules (see above: Do I have to comply?) and is on a supported platform, compliance is required.
Device Management and Encryption Requirements by Platform
| Operating System | Compliance Required |
|---|---|
| Windows | Yes |
| Mac OS X | Yes |
| Linux | Temporarily Exempt |
| iOS | Yes |
| Android | Yes |
| Blackberry | Temporarily Exempt |
| Windows Phone | Temporarily Exempt |
If your laptop or desktop has SWDE installed for encryption, then it is already managed by BigFix. Unencrypted laptops and desktops can become managed by installing BigFix alone, but as they will all require encryption eventually it is better to install SWDE wherever possible.
Identity Finder scans will be performed only after specific consent by the individual whose files are being scanned.
Consult your department's IT support for any additional requirements. For example, in the School of Medicine see the school's Data Security web site.
When do I have to comply?
All new endpoint devices purchased by Stanford must be configured for encryption before they are used. Endpoints that are already in use must be brought into compliance by the dates indicated in the chart below.
Endpoint Compliance Deadlines
| Mandate | Compliance Deadline |
|---|---|
| File Backup for Laptops/Desktops | Recommended Prior to Encryption |
| Encryption - New Laptops/Desktops | Today |
| MDM - Mobile Devices that Store/Access PHI | February 28, 2014 |
| SWDE - Laptops/Desktops that Store/Access PHI | February 28, 2014 |
| Windows XP Migration - Laptops/Desktops that do not control scientific instruments | April 8, 2014 |
| BigFix Installation - Laptops/Desktops that Store/Access PHI or other Prohibited or Restricted Data | May 28, 2014 |
| SWDE - Laptops/Desktops with >500 Identity Finder hits | July 31, 2014 |
| SWDE - Laptops/Desktops with >10 Identity Finder hits | November 30, 2014 |
| Encryption - Laptops/Desktops that do not control scientific instruments | May 31, 2015 |
Compliance Exceptions
Endpoints that are critical to Stanford business but that cannot comply with these rules (such as dedicated instrument systems) must follow a formal exception process, and suitable compensating controls should be implemented.
You can request an exception via the Compliance Exception Request form.
Blackberry mobile devices, Windows Phones, and Linux systems are currently not supported by MDM or SWDE, and so are temporarily exempt from the management and encryption mandates until SWDE and MDM are available for these platforms. Until they are available, these devices should not be used to store, process or transmit PHI or other Prohibited or Restricted Data without a formal exception.
All Linux systems should still back up their files.
