Encryption

Personal Responsibility

Legally, you are personally and fiscally responsible for any information disclosure from your computer or mobile devices, whether accidental or not. IRT Security is here to help you protect yourself: encryption is a one-time, necessary step you can take now to prevent trouble in the future. Read on to see if your system must be encrypted, and use the quick links to get started.

Data Security Program

The Data Security Program at the School of Medicine oversees compliance with Stanford policy and federal law. The program will be conducting ongoing assessments of the devices and the kinds of data users work with. As of January 2013, the SoM requires that all devices used to access Stanford Restricted or Prohibited information must be encrypted—whether they are owned by you personally or by the University. The SoM can also provide you with encrypted USB drives and external hard drives, since such information must always be stored in encrypted form. Laptops and desktops used to access such information must use CrashPlan, which backs up your data automatically to the SoM's new centralized backup server.

For the first stage of this encryption drive, you should:

• Make sure BigFix is installed on your computer (for Mac or for Windows)
• Upgrade Macs to OS 10.8
• Enroll mobile devices in MDM

To find out more about the Data Security Program, and to get your computers ready for encryption: med.stanford.edu/datasecurity.

To check whether you and your devices are in compliance, visit amie.stanford.edu.

 

Data Classification: What Data Must Be Encrypted?

There are three categories of information that should be encrypted if stored on your computer. If your machine cannot be encrypted for technical reasons, then you cannot store this type of information on it, PERIOD. If you work remotely using information that falls into these three categories, you must encrypt your home computer as well.

The following definitions are excerpted from Stanford University's Stanford Secure Computing's Data Classification page.

Prohibited Data

Information is classified as “Prohibited” if protection of the information is required by law/regulation, or if Stanford is required to self-report to the government and/or provide notice to the individual if information is inappropriately accessed. [Prohibited data must be removed from your hard drive unless you have explicit permission from the Data Governance Board to have it on your system. Prohibited data must be encrypted.]

Note: If a file which would otherwise be considered to be Restricted or Confidential contains any element of Prohibited Information, the entire file is considered to be Prohibited Information.

Common types of Prohibited Data include:

• Social Security Numbers
• Credit Card Numbers
• Financial Account Numbers, such as checking or investment account numbers
• Driver's License Numbers
• Health Insurance Policy ID Numbers

Restricted Data

Information is classified as “Restricted” if (i) it would otherwise qualify as “Prohibited” but it has been determined by the Data Governance Board (DGB) that prohibiting information storage on Computing Equipment would significantly reduce faculty/staff/student effectiveness when acting in support of Stanford’s mission and/or (ii) it is listed as Restricted in the Classification of Common Data Elements. [Restricted data must be encrypted.]

Common types of Restricted Data include:

• Student Records (for special exceptions see the Data Classification Chart)
• Protected Health Information (PHI)
• Passport and visa numbers
• Research and other information covered by non-disclosure agreements
• Export controlled information under U.S. laws

Confidential Data

Information is classified as “Confidential” if (i) it is not considered to be Prohibited or Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the Classification of Common Data Elements. [Confidential data is not legally required to be encrypted, but Stanford strongly recommends it.]

Common types of Confidential Data include:

• Faculty/staff employment applications, personnel files, benefits information, salary, birth date, and personal contact information
• Admission applications
• Donor contact information and non-public gift amounts
• Privileged attorney-client communications
• Non-public Stanford policies and policy manuals
• Stanford internal memos and email, and non-public reports, budgets, plans, and financial information
• Non-public contracts
• University and employee ID numbers