[an error occurred while processing this directive]
Data Security Program

New to Stanford

Compliance with the policy requires the following actions:

All SoM Community Members

1. Data & Device Attestation

Everyone at the School of Medicine will be asked to complete a Data & Device Attestation to identify whether you are exposed to High Risk data (previously Restricted or Prohibited Data) and the kinds of devices you use. Please only report the Stanford- and personally-owned devices that you use for school business. You do not need to report devices owned by SHC or LPCH. Go to Data & Device Attestation Survey »

2. Mobile Device Management

All mobile devices used by individuals who attest to having access to High, Moderate, or Low Risk data must be enrolled in Stanford's Mobile Device Management service. See: MDM Installation guide

All SoM devices enrolled in MDM must have a Restricted MDM profile, and not a Basic profile. If you currently have a Basic profile set up for a device, the only way to get a Restricted profile is to unenroll and re-enroll the device.

MDM support iOS and Android (version 4.0 and above) devices. Devices that cannot support must not be used for Stanford work by individuals who attest to accessing High, Moderate, or Low Risk data. To enroll an eligible Android or iOS device in MDM, visit mdm.stanford.edu from the browser on the device.

3. BigFix Security Management

BigFix, Stanford's computer and security management tool, must be installed on all Stanford- and personally-owned laptops and desktops (and VMs) that may be used by individuals who have access to High Risk data (previously Restricted or Prohibited Data). Any device you use to access the hospitals' EPIC systems are subject to the University Data Security policy and must be fully compliant with all University security requirements. BigFix, however, should not be installed on computers owned by SHC or LPCH. See: BigFix Installation guide »

BigFix is automatically included when using the University's encryption tool SWDE (pronounced "suede"). Individuals who do not have access to High Risk data are not required to use BigFix but are still required to be verifiably encrypted - the University's new tool VLRE (pronounced "velour") can provide acceptable encryption verification without using BigFix. The VLRE tool will require users to provide the update and patching responsibilities independently of the centrally managed BigFix.

4. Device Identification Survey

Through a BigFix pop-up screen, you will be delivered the Device Identification Survey to identify the specific computers you use for Stanford business.

Select this option to access the University's Device Enrollment tool from a machine that does not have BigFix.

Stanford employees who work at the School of Medicine

5. Encryption

All computers and laptops used by Stanford employees for school business must be encrypted using Stanford's sanctioned whole disk encryption solutions. Those with access to High Risk data must use SWDE; those who do not access or receive High Risk data may use either SWDE or VLRE. This encryption requirement applies to all Stanford-owned computers and also to personally-owned computers on the Stanford network - even if you just use them to read Stanford email.

Windows XP is not an approved operating system at Stanford. Devices that cannot meet the data security requirements should be upgraded or replaced. Older systems that manage specialized research equipment or applications can apply for a Data Security Exception. Approved exceptions will be migrated to a special network with increased security to compensate for the risks of continuing to use an unsupported operating system on the network.

Any Stanford affiliate (faculty, students, staff, postdocs) who works with High Risk Data

6. Encryption

All laptops and desktops (whether Stanford- or personally owned) that store or access High Risk data (previously Restricted or Prohibited data) must be encrypted using Stanford Whole Disk Encryption (SWDE). This includes all computers used to access the hospitals' EPIC systems. See: Installation FAQs »

Machines older than 3 years have often had problems with encryption. If your computer is too old to be encrypted, or you are having issues with the encryption process, you should work with your Department to identify or provide an encrypted computer for use in your Stanford work.

Windows XP is not an approved operating system.

7. Attestation of Compliance

You will be asked to complete an Attestation of Compliance certifying your compliance with the SoM Data Security Policy.

Select Your Device to Get Started

Current Tab: 2