As of May 2015, a new set of classifications has been established and is now in effect for Stanford data and systems: Low Risk, Moderate Risk, and High Risk. The Prohibited, Restricted, Confidential, and Unrestricted framework will be phased out by January 2016. Going forward, please use the new Low/Moderate/High Risk designations.
Stanford takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University's academic and research mission. For that reason, Stanford has classified its information assets into the categories Unrestricted, Confidential, Restricted, and Prohibited for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
Please contact the University Privacy Officer with any questions about the appropriate classification of information. Please contact the Chief Information Security Officer with any questions about appropriate protection of information.
Stanford expects all partners, consultants and vendors to abide by Stanford's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security policies. The required contract language can be found on the ASP Security Requirements page.
All new information systems that store or process Prohibited or Restricted Data, should be assessed by the Information Security Office.
These guidelines are intended to reflect the minimum level of care necessary for Stanford's sensitive data. They do not relieve Stanford or its employees, partners, consultants or vendors of further obligations that may be imposed by law, regulation or contract.
NOTE: In case of a suspected Information Security Incident as described in the Information Security Incident Response Policy, AGM #6.6.1, involving any of the following items, the University's Information Security Office must be contacted immediately via HelpSU or by phone at 650-723-2911:
- Social Security Numbers
- Credit Card Numbers
- Financial Account Numbers
- Driver's License Numbers
- Health Insurance Policy ID Numbers
Definitions
- Computing Equipment is any Stanford or non-Stanford desktop or portable device or system.
- A number is Masked if: (i) a credit card primary account number (PAN) has no more than the first 6 and the last 4 digits intact, and (ii) all other Prohibited or Restricted numbers have only the last 4 intact. See the entire DSS 2.0 Standard (if you are willing to agree to some terms).
- NIST-Approved Encryption: The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect Stanford's data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.
- Payment Card Industry Data Security Standards are the practices used by the credit card industry to protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process, store, or have access to Stanford's Prohibited or Restricted data. The most recent version of the PCI DSS is available here.
- Protected Health Information (PHI) is all individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Officer.
- A Qualified Machine is a computing device located in a secure Stanford facility and with access control protections that meet the Payment Card Industry Data Security Standards located at https://www.pcisecuritystandards.org/security_standards/index.php
- Student Records are those that are required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA). Student Records include Stanford-held student transcripts (official and unofficial), and Stanford-held records related to (i) academic advising, (ii) health/disability, (iii) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student. Applications for student admission are not considered to be Student Records unless and until the student attends Stanford.
Data Classifications
Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Classification.
| Prohibited Information | Restricted Information | Confidential Information | Unrestricted Information | |
|---|---|---|---|---|
| Information Classification Guideline |
Information is classified as "Prohibited" if protection of the information is required by law/regulation or Stanford is required to self-report to the government and/or provide notice to the individual if information is inappropriately accessed If a file which would otherwise be considered to be Restricted or Confidential contains any element of Prohibited Information, the entire file is considered to be Prohibited Information. |
Information is classified as "Restricted" if (i) it would otherwise qualify as "Prohibited" but it has been determined by the DGB that prohibiting information storage on Computing Equipment would significantly reduce faculty/staff/student effectiveness when acting in support of Stanford's mission and/or (ii) it is listed as Restricted in the "Classification of Common Data Elements" below. |
Information is classified as "Confidential" if (i) it is not considered to be Prohibited or Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the "Classification of Common Data Elements". |
Information is classified as "Unrestricted" if it is not considered to be Prohibited, Restricted, or Confidential. |
| Classification of Common Data Elements |
|
|
|
|
| Access Protocol |
Access only with permission from the DGB or the VP for Business Affairs. |
Access limited to those permitted under law, regulation and Stanford's policies, and with a need to know. |
Access limited to those with a need to know, at the discretion of the data owner or custodian. |
Anyone may access Unrestricted information. However, care should always be taken to use all University information appropriately and to respect all applicable laws. Information that is subject to copyright must only be distributed with the permission of the copyright holder. |
|
Transmission |
NIST-approved encryption is required when transmitting information through a network. Third party email services are not appropriate for transmitting Prohibited information. Prohibited numbers may be Masked instead of encrypted. |
NIST-approved encryption is required when transmitting information through a network. Third party email services are not appropriate for transmitting Restricted information. Restricted numbers may be Masked instead of encrypted. |
NIST-approved encryption is strongly recommended when transmitting information through a network. Third party email services are discouraged for transmitting Confidential information. |
No encryption is required for Unrestricted information. |
|
Storage |
Prohibited on Computing Equipment unless approved by the DGB. If DGB approves, NIST-approved encryption is required on Computing Equipment. Prohibited numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine. Third party processing or storage services are not appropriate for receiving or storing Prohibited information unless approved by the DGB. |
NIST-approved encryption is required if information is stored on Computing Equipment. Restricted numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine. Third party processing or storage services are not appropriate for receiving or storing Restricted information unless approved by the DGB. |
Encryption of Confidential information is strongly recommended. Level of required protection of Confidential information is either pursuant to Stanford policy or at the discretion of the owner or custodian of the information. If appropriate level of protection is not known, check with the data owner before storing Confidential information unencrypted. Third party processing or storage services may receive or store Confidential data if Stanford has a valid contract with the vendor that includes the standard clauses specified in the ASP Security Requirements. |
No encryption is required for Unrestricted information. Care should still be taken to protect the integrity of Unrestricted information. |
Unpublished Research Data
Published research data is of course considered public, and the University is committed to openness in its research. The section "Openness in Research" of the Research Policy Handbook codifies this commitment and also outlines some situations in which unpublished research data may need to be kept private. In those circumstances, unpublished research data is considered Confidential.
For purposes of data classification, a faculty member directing research is the data owner of the results of that research. As such, determining the level of protection necessary for unpublished research data is the prerogative of the faculty, taking into account any agreements such as the information security requirements of external research sponsors.
Stanford Services Quick Reference Guide
If not specified below, contact the Information Security Office for guidance before using a service to store, process, or transmit Prohibited, Restricted, or Confidential data as defined above, noting that approval is needed in advance of handling Prohibited data on anything other than Qualified Machines. Some of the services below require additional components in order to qualify for the specified permitted data classifications. Click on the service link for details.
Permitted Not Permitted
