Joint Security, Privacy, and Legal Review (JSPLR) Committee and Process
Stanford University is committed to providing reliable access to data in support of Stanford University’s educational and research mission, while ensuring that data is maintained and protected to the greatest extent possible. The Stanford University Joint Security, Privacy, Legal, and Review (JSPLR) Committee was formed to assist Stanford community members achieve these goals.
JSPLR’s purpose is to evaluate projects with Moderate and High Risk data, including collaborations with outside parties and research studies that involve sophisticated technological platforms, to ensure that appropriate safeguards are in place to protect the confidentiality, integrity, and availability of Stanford assets, and identify gaps in the existing or proposed information security control environment of a given research project. The value of the JSPLR process is that it offers a streamlined approach, bringing together representatives of the Information Security Office, University Privacy Office, and the Office of the General Counsel.
The following sections below provide more detailed information of the JSPLR process steps, including expected deliverables.
-
When a review is needed: The JSPLR Committee conducts reviews of new services or projects that handle High and Moderate Risk Data. Reviews of projects and systems handling Low Risk Data are optional, and the JSPLR Committee may conduct such reviews as necessary.
-
Deliverables: Report from the JSPLR Committee with risk mitigation recommendations.
-
Timeframe: Four weeks assuming information is provided in a timely fashion.
-
Progress Updates: Weekly and as needed.
- Process:
- Requester opens help ticket via HelpSU:
- PCAT: https://helpsu.stanford.edu/helpsu/3.0/helpsu?pcat=securityReview ).
- We use this ticket to track progress and communications.
- Requester completes our intake form:
- Downloads intake form .
- Submits completed form via email by replying to HelpSU ticket and attaching the file, and other supporting information (e.g., Third party security certifications/attestations, data flow diagrams, etc.).
- JSPLR Committee, within one week:
- Reviews submitted information and may request additional information via email, or
- May request a meeting to discuss further in real-time.
- JSPLR Committee prepares draft report
- Sends draft report for review and comments.
- Reviews comments by committee and requester, and modifies report as appropriate.
- JSPLR Committee issues final report via email.
- Requester confirms that recommendations have been implemented.