Stanford has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access.
As of May 2015, a new set of classifications has been established and is now in effect for Stanford data and systems: Low Risk, Moderate Risk, and High Risk. The former framework — Prohibited, Restricted, Confidential, and Unrestricted — was phased out in January 2016.
Special note to Stanford researchers: Except for regulated data such as Protected Health Information (PHI), Social Security Numbers (SSNs), and financial account numbers, research data and systems predominately fall into the Low Risk classification. Review the classification definitions and examples below to determine the appropriate risk level to apply. See Research Policy Handbook Section 1.10 for information security practices and guidelines specific to research computing systems.
Low Risk
Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:
- The data is intended for public disclosure, or
- The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.
Moderate Risk
Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:
- The data is not generally available to the public, or
- The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.
High Risk
Data and systems are classified as High Risk if:
- Protection of the data is required by law/regulation,
- Stanford is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
- The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Data Risk Classification Examples
Use the examples below to determine which risk classification is appropriate for a particular type of data. When mixed data falls into multiple risk categories, use the highest risk classification across all.
View Minimum Security Standards: Endpoints
Low Risk
- Research data (at data owner's discretion)
- SUNet IDs
- Information authorized to be available on or through Stanford's website without SUNet ID authentication
- Policy and procedure manuals designated by the owner as public
- Job postings
- University contact information not designated by the individual as "private" in StanfordYou
- Information in the public domain
- Publicly available campus maps
Moderate Risk
- Unpublished research data (at data owner's discretion)
- Student records and admission applications
- Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information
- Non-public Stanford policies and policy manuals
- Non-public contracts
- Stanford internal memos and email, non-public reports, budgets, plans, financial info
- University and employee ID numbers
- Project/Task/Award (PTA) numbers
- Engineering, design, and operational information regarding Stanford infrastructure
High Risk
- Health Information, including Protected Health Information (PHI)
- Health Insurance policy ID numbers
- Social Security Numbers
- Credit card numbers
- Financial account numbers
- Export controlled information
- Driver's license numbers
- Passport and visa numbers
- Donor contact information and non-public gift information
Server Risk Classification Examples
A server is defined as a host that provides a network accessible service.
View Minimum Security Standards: Servers
Low Risk
- Servers used for research computing purposes without involving Moderate or High Risk Data
- File server used to store published public data
- Database server containing SUNet IDs only
Moderate Risk
- Servers handling Moderate Risk Data
- Database of non-public University contracts
- File server containing non-public procedures/documentation
- Server storing student records
High Risk
- Servers handling High Risk Data
- Servers managing access to High Risk systems
- University IT and departmental email systems
- Core campus infrastructure
Application Risk Classification Examples
An application is defined as software running on a server that is network accessible.
View Minimum Security Standards: Applications
Low Risk
- Applications handling Low Risk Data
- Online maps
- University online catalog displaying academic course descriptions
- Bus schedules
Moderate Risk
- Applications handling Moderate Risk Data
- Human Resources application that stores salary information
- Directory containing phone numbers, email addresses, and titles
- University application that distributes information in the event of a campus emergency
- Online application for student admissions
High Risk
- Applications handling High Risk Data
- Human Resources application that stores employee SSNs
- Application that stores campus network node information
- Application collecting personal information of donor, alumnus, or other individual
- Application that processes credit card payments
Approved Services
This table indicates which classifications of data are allowed on a selection of commonly used Stanford University IT services.
| Stanford Service | Low Risk | Moderate Risk | High Risk: NON-PHI 1 | High Risk: PHI 2 |
|---|---|---|---|---|
| Audio and Video Conferencing: Zoom and WebEx | Approved for low risk data | Approved for moderate risk data | Approved for non-PHI high risk data | Approved for PHI high risk data |
| Backups: CrashPlanPROe | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Calendar: Office 365 | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Cardinal Fax | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Cardinal Print | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Cloud Infrastructure4: Amazon Web Services, Microsoft Azure, Google Cloud Platform | Approved for low risk data | Approved for moderate risk data | Approved for non-PHI high risk data | Approved for PHI data |
| Content Management: Stanford Domains | Approved for low risk data | Not approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Content Management: Drupal (Stanford Sites), Wordpress | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Content Management: OpenText | Approved for low risk data | Approved for moderate risk data | Approved for non-PHI high risk data | Not approved for high risk data |
| Database Hosting: MySQL | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Document Management: Box and Office 365 OneDrive | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Not approved for PHI |
| Document Management: Google Drive and Google Shared drives | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Not approved for PHI |
| Document Management: Google G Suite: Docs, Sheets, Forms and Slides | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Not approved for PHI |
| Document Management: Google G Suite: All others (Sites, Photos, etc...) | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Document Management: Medicine Box | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Electronic Data Capture (EDC): REDCap, Forte5, REDCap Cloud5 | Approved for low risk data | Approved for moderate risk data | Approved for non-PHI high risk data | Approved for PHI data |
| Electronic Signature: AdobeSign3 | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Not approved for high risk PHI data |
| Electronic Signature: DocuSign | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Email: Google Mail, Office365 (with “Secure:” in subject line) | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Email: Google Mail, Office365 (without “Secure:” in subject line) | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Email: Other Departmental Systems | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Encryption: Airwatch MDM Compliant Device, SWDE Compliant Device | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Encryption: VLRE Compliant Device | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| File Storage: AFS, CIFS, NFS | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| File Storage: Secure AFS, Secure File Storage | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| File Transfer: Globus | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Form Builder: Web Forms | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Instant Messaging: Jabber | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Slack Messaging: Public Channels | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Slack Messaging: Direct Messages and invite-only channels | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Not approved for high risk data |
| Issue Tracking: JIRA | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Network Access Control: SUNAC | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Research Computing Clusters: Sherlock and SCG | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Research Computing Clusters: Nero | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Research Computing Storage: Oak | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| ServiceNow | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Shared Computing: FarmShare | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Smartsheet: Collaboration and Project Management | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Stanford Profiles: CAP | Approved for low risk data | Not approved for moderate risk data | high risk data not allowed | high risk data not allowed |
| Survey Tool: Qualtrics - University, SoM, and GSB instances | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Survey Tool: Qualtrics - All other instances | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Voice Messaging | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| VPN | Approved for low risk data | Approved for moderate risk data | Approved for general high risk data | Approved for PHI data |
| Web Programming: CGI | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| Wiki: Confluence | Approved for low risk data | Approved for moderate risk data | Not approved for high risk data | Not approved for high risk data |
| 1 Payment Card Industry (PCI) data has special regulatory requirements that preclude using the services above. Contact the PCI team for assistance with handling this type of data. | ||||
| 2 Protected Health Information (PHI) data has special regulatory requirements that govern using the services above. Contact the DRA team for assistance handling this type of data. | ||||
| 3 AdobeSign is the preferred University partner for eSign services. | ||||
| 4 Users with data classified as High Risk data, including Protected Heath Information (PHI), must have their cloud account provisioned by University IT, and must be configured and managed by a Stanford professional services team — for example Stanford Research Computing Center (SRCC) or Technology Consulting Group (TCG). | ||||
| 5 Forte and REDCap Cloud are compliant with Title 21 CFR Part 11 which regulates the handling of electronic records and electronic signatures. | ||||
| * High Risk Data not currently permitted, pending Data Loss Prevention (DLP) solution deployment. | ||||
