These standards are intended to reflect the minimum level of care necessary for Stanford's sensitive data. They do not relieve Stanford or its employees, partners, consultants or vendors of further obligations that may be imposed by law, regulation or contract.
Stanford expects all partners, consultants and vendors to abide by Stanford's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security policies.
You are encouraged to begin adopting these standards, prioritizing your systems by risk level. As cybersecurity is a rapidly evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly. In time, these standards will become requirements codified in the Administrative Guide.
Minimum Security Standards: Endpoints
An endpoint is defined as any laptop, desktop, or mobile device.
- Determine the risk level by reviewing the data risk classification examples, server risk classification examples and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk data but utilized to access a High Risk application is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your endpoints.
| Standards | Free of Charge | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
|---|---|---|---|---|---|---|
| Patching | Provided free of charge | Recurring Task | Apply security patches within seven days of publish. BigFix is recommended. Use a supported OS version. | Required for low risk data | Required for moderate risk data | Required for high risk data |
| Whole Disk Encryption | Provided free of charge | Enable FileVault2 for Mac, BitLocker for Windows. SWDE is recommended, option to use VLRE instead. Install MDM on mobile devices. | Required for low risk data | Required for moderate risk data | Required for high risk data | |
| Malware Protection | Provided free of charge | Install antivirus (SCEP recommended). Install EMET on Windows. | Required for low risk data | Required for moderate risk data | Required for high risk data | |
| Backups | Backup user data at least daily. University IT CrashPlan PROe is recommended (option to set personal password). Encrypt backup data in transit and at rest. | Required for low risk data | Required for moderate risk data | Required for high risk data | ||
| Inventory | Provided free of charge | Recurring Task | Review and update NetDB records quarterly. Maximum of one node per NetDB record. | Required for low risk data | Required for moderate risk data | Required for high risk data |
| Configuration Management | Provided free of charge | Install BigFix and SWDE. | Required for high risk data | |||
| Regulated Data Security Controls | Implement PCI DSS, HIPAA, or export controls as applicable. | Required for high risk data |
Minimum Security Standards: Servers
A server is defined as a host that provides a network accessible service.
- Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, a server running a Low Risk application but storing High Risk data is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your servers.
| Standards | Free of Charge | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
|---|---|---|---|---|---|---|
| Patching | Provided free of charge | Recurring Task | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish, medium severity within 14 days, and low severity within 28 days. Use a supported OS version. | Required for low risk servers | Required for moderate risk servers | Required for high risk servers |
| Inventory | Provided free of charge | Recurring Task | Review and update NetDB + SUSI (in development) records quarterly. Maximum of one node per NetDB record. | Required for low risk servers | Required for moderate risk servers | Required for high risk servers |
| Firewall | Enable host-based firewall in default deny mode and permit minimum necessary services. | Required for low risk servers | Required for moderate risk servers | Required for high risk servers | ||
| Credentials and Access Control | Recurring Task | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via Kerberos recommended. | Required for low risk servers | Required for moderate risk servers | Required for high risk servers | |
| Two-Step Authentication | Provided free of charge | Require Duo two-step authentication for all interactive user and administrator logins. | Required for moderate risk servers | Required for high risk servers | ||
| Centralized Logging | Forward logs to a remote log server. University IT Splunk service recommended. | Required for moderate risk servers | Required for high risk servers | |||
| Sysadmin Training | Provided free of charge | Recurring Task | Attend two days of Stanford Information Security Academy training annually. | Required for moderate risk servers | Required for high risk servers | |
| Vulnerability Management | Provided free of charge | Recurring Task | Monthly Qualys scan. Remediate severity 5 vulnerabilities within seven days, severity 4 vulnerabilities within 14 days, and severity 3 vulnerabilities within 28 days of discovery. | Required for moderate risk servers | Required for high risk servers | |
| Malware Protection | Provided free of charge | Recurring Task | Deploy Bit9 in high enforcement mode. Review alerts as they are received. | Required for moderate risk servers | Required for high risk servers | |
| Intrusion Detection | Provided free of charge | Recurring Task | Deploy Bit9 on supported platforms, otherwise use OSSEC or Tripwire. Review alerts as they are received. | Required for moderate risk servers | Required for high risk servers | |
| Physical Protection | Place system hardware in a data center. | Required for moderate risk servers | Required for high risk servers | |||
| Dedicated Admin Workstation | Access administrative accounts only via a certified Personal Bastion Host (PBH). | Required for high risk servers | ||||
| Security, Privacy, and Legal Review | Provided free of charge | Request a Security, Privacy, and Legal review and implement recommendations before deployment. | Required for high risk servers | |||
| Regulated Data Security Controls | Implement PCI DSS, HIPAA, or export controls as applicable. | Required for high risk servers |
Minimum Security Standards: Applications
An application is defined as software running on a server that is remotely accessible, including mobile applications.
- Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an application providing access to Low Risk Data but running on a High Risk server is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your applications.
| Standards | Free of Charge | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
|---|---|---|---|---|---|---|
| Patching | Recurring Task | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish, medium severity within 14 days, and low severity within 28 days. Use a supported version of the application. | Required for low risk applications | Required for moderate risk applications | Required for high risk applications | |
| Inventory | Recurring Task | Maintain a list of applications, data classifications, and volume estimates. Review and update records quarterly. | Required for low risk applications | Required for moderate risk applications | Required for high risk applications | |
| Firewall | Provided free of charge | Permit minimum necessary services in network firewall. | Required for low risk applications | Required for moderate risk applications | Required for high risk applications | |
| Credentials and Access Control | Recurring Task | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via WebAuth/SAML recommended. | Required for low risk applications | Required for moderate risk applications | Required for high risk applications | |
| Two-Step Authentication | Provided free of charge | Require Duo two-step authentication for all interactive user and administrator logins. | Required for moderate risk applications | Required for high risk applications | ||
| Centralized Logging | Forward logs to a remote log server. University IT Splunk service recommended. | Required for moderate risk applications | Required for high risk applications | |||
| Vulnerability Management | Provided free of charge | Recurring Task | Monthly Qualys application scan. Remediate severity 5 vulnerabilities within seven days, severity 4 vulnerabilities within 14 days, and severity 3 vulnerabilities within 28 days of discovery. | Required for moderate risk applications | Required for high risk applications | |
| Secure Software Development | Include security as a design requirement. Review all code and correct identified security flaws before deployment. Use of static code analysis tools recommended. | Required for moderate risk applications | Required for high risk applications | |||
| Developer Training | Provided free of charge | Recurring Task | Attend two days of Stanford Information Security Academy training annually. | Required for moderate risk applications | Required for high risk applications | |
| Backups | Backup application data at least weekly. Encrypt backup data in transit and at rest. | Required for moderate risk applications | Required for high risk applications | |||
| Dedicated Admin Workstation | Access administrative accounts only via a certified Personal Bastion Host (PBH). | Required for high risk applications | ||||
| Security, Privacy, and Legal Review | Provided free of charge | Request a Security, Privacy, and Legal review and implement recommendations before deployment. | Required for high risk applications | |||
| Regulated Data Security Controls | Implement PCI DSS, HIPAA, or export controls as applicable. | Required for high risk applications |
Definitions
- Computing Equipment
- Any Stanford or non-Stanford desktop or portable device or system
- Masked number
- (i) A credit card primary account number (PAN) has no more than the first six and the last four digits intact, and (ii) all other Prohibited or Restricted numbers have only the last four intact. See the entire DSS 3.1 Standard (if you are willing to agree to some terms).
- NIST-Approved Encryption
- The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect Stanford's data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.
- Payment Card Industry Data Security Standards
- the practices used by the credit card industry to protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process, store, or have access to Stanford's Prohibited or Restricted data. The most recent version of the PCI DSS is available here.
- Protected Health Information (PHI)
- All individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Officer.
- Qualified Machine
- A computing device located in a secure Stanford facility and with access control protections that meet the Payment Card Industry Data Security Standards.
- Student Records
- Information required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA). Student Records include Stanford-held student transcripts (official and unofficial), and Stanford-held records related to (i) academic advising, (ii) health/disability, (iii) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student. Applications for student admission are not considered to be Student Records unless and until the student attends Stanford.
Who do I contact for questions?
General Questions
| Unit | Website | Help |
|---|---|---|
| Privacy Office | Privacy Office | Submit help request |
| Information Security Office | Information Security Office | Submit help request |
Suspected Information Security Incident
| Unit | Website | Help |
|---|---|---|
| Information Security Office | Information Security Office | Submit help request |
Report Lost or Stolen Device
| Unit | Website | Help |
|---|---|---|
| Privacy Office | Privacy Office | Submit report |
