Information Privacy & Security: Quick Reference Guide

All of us share responsibility for protecting Stanford systems and data from unauthorized access.

See below for a summary of resources, responsibilities, and important contacts: to help you keep track of your data security obligations, and to give you the answers to any questions you may have.

      • University Privacy Office — https://privacy.stanford.edu

      • Information Security Office — https://security.stanford.edu

      • Risk Classifications — https://dataclass.stanford.edu

      • Minimum Security Standards — https://minsec.stanford.edu

      • Verifiable Encryption — https://encrypt.stanford.edu

Faculty & Staff Responsibilities

1. Understand the Low, Moderate, and High Risk Data classifications and perform required attestations - https://dataclass.stanford.edu, https://med.stanford.edu/datasecurity/attestation.html
    
   
2. Keep your laptop/desktop software up to date — https://patching.stanford.edu
    
   
3. Verifiably encrypt all of your devices used for Stanford business [this includes keeping them locked with a passcode] — https://encrypt.stanford.edu
    
   
4. Request a Data Risk Assessment for new systems handling High Risk Data — https://dra.stanford.edu
    
   
5. Back up your laptop/desktop — https://irt.stanford.edu/security/backups.html
     
   
6. Watch the information security awareness video — https://accounts.stanford.edu/manage
     
   
7. Be vigilant for phishing and other social engineering schemes — https://phishing.stanford.edu
     
   
8. Report lost or stolen devices to the University Privacy Office — https://privacy.stanford.edu
     
   
9. Be familiar with security policies and HIPAA regulations — https://security.stanford.edu
     
   
10. Use MedSecureSend to send High Risk Data files, or type “Secure:” in the subject line to send High Risk Data via email — https://irt.stanford.edu/security/mss.html, https://secureemail.stanford.edu
      
    
11. Use Medicine Box for PHI data storage and collaboration — https://med.stanford.edu/box.html
      
    
12. Leaving Stanford? — https://irt.stanford.edu/security/leaving-stanford.html, https://departingpersonnel.stanford.edu

Department Management: Director of Finance and Administration (and/or designee) Responsibilities

Perform periodic monitoring and oversight to ensure faculty and staff roles and responsibilites are performed in compliance with policies and regulations.
 

Penalties for non-compliance:

Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.

     • Administrative Guide: Information Security

     • Risk Classifications

     • Minimum Security Standards

     • Encryption

     • Third-Party Security Requirements

     • Data Sanitization

     • Regulatory: HIPAA

University Information Security Office — https://security.stanford.edu
Chief Information Security Officer, Michael Duff — securityofficer (at) stanford.edu

University Privacy Office — https://privacy.stanford.edu

Chief Privacy Officer, Wendi Wright —  privacy (at) stanford.edu

SoM Information Resources & Technology (IRT) — http://irt.stanford.edu

•      • Chief Information Officer, Michael Halaas
  
•      • Chief Technology Officer, Todd Ferris
•      • Director of Security Programs, Sharie Kumaishi
•      • IRT Help Desk - Submit an IRT Help Form or call (650) 725-8000

Created: April 2017
Author: Office of Audit, Compliance, Risk and Privacy, Internal Audit Services — https://acrp.stanford.edu/audit/internal-audit-services

Reviewed by: SME Contacts