Security Assessments

All servers on campus must conform to School of Medicine security regulations, whether hosted by IRT or otherwise. If you are running a server that is not physically located in the data center, you will need to make sure that you're following Stanford policies about keeping the data properly secured. You may also choose to have your server moved to the data center and hosted or managed by IRT. Read the information below to determine whether your server is secure in its current location, and whether IRT Information Security Services should help you move the server into the data center.

As of May 2015, a new set of classifications has been established and is now in effect for Stanford data: High Risk, Moderate Risk, and Low Risk. The former framework - Prohibited, Restricted, Confidential, and Unrestricted - will be phased out by January 2016.

If you are running a server that stores any information that is defined as High Risk —

• Social Security Numbers

  Credit Card Numbers

  Financial Account Numbers, such as checking or investment account numbers

  Driver’s License Numbers

  Health Insurance Policy ID Numbers

  Health Information and other PHI
  

— you must have permission from the Data Governance Board to be storing it on your computer. If you are storing any information that is High Risk, Moderate Risk, or Low Risk, you must encrypt the computer it is stored on, and you must follow Stanford's security procedures. To find out whether your current server is adequately secured, you can go through Stanford Secure Computing's Information Security Questionnaire.  (ITS just released a handy chart of the minimum security requirements for servers.) Keeping a server properly secured on your own can be difficult, and it may well be to your advantage to have it hosted in IRT's secure data center.

IRT Server Hosting

If you've determined that your server should be located in the data center, contact IRT Security. Someone will arrange a time to sit down with you, go through a security questionnaire and assessment, and help you with the server move. For more information about IRT's hosting and system administration requirements and services, visit the IRT servers page.