Information Privacy & Security: Quick Reference Guide
All of us share responsibility for protecting Stanford systems and data from unauthorized access.
See below for a summary of resources, responsibilities, and important contacts: to help you keep track of your data security obligations, and to give you the answers to any questions you may have.
Roles and Responsibilities
Faculty & Staff Responsibilities
- Understand the Low, Moderate, and High Risk Data classifications and perform required attestations - https://dataclass.stanford.edu, https://med.stanford.edu/datasecurity/attestation.html
- Keep your laptop/desktop software up to date — https://patching.stanford.edu
- Verifiably encrypt all of your devices used for Stanford business [this includes keeping them locked with a passcode] — https://encrypt.stanford.edu
- Request a Data Risk Assessment for new systems handling High Risk Data — https://dra.stanford.edu
- Back up your laptop/desktop — https://irt.stanford.edu/security/backups.html
- Watch the information security awareness video — https://accounts.stanford.edu/manage
- Be vigilant for phishing and other social engineering schemes — https://phishing.stanford.edu
- Report lost or stolen devices to the University Privacy Office — https://privacy.stanford.edu
- Be familiar with security policies and HIPAA regulations — https://security.stanford.edu
- Use MedSecureSend to send High Risk Data files, or type “Secure:” in the subject line to send High Risk Data via email — https://irt.stanford.edu/security/mss.html, https://secureemail.stanford.edu
- Use Medicine Box for PHI data storage and collaboration — https://med.stanford.edu/box.html
- Leaving Stanford? — https://irt.stanford.edu/security/leaving-stanford.html, https://departingpersonnel.stanford.edu
Department Management: Director of Finance and Administration (and/or designee) Responsibilities
Perform periodic monitoring and oversight to ensure faculty and staff roles and responsibilites are performed in compliance with policies and regulations.
Penalties for non-compliance:
Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.
Policies and Regulations
Questions? Subject Matter Experts (SME) Contacts
University Privacy Office — https://privacy.stanford.edu
Chief Privacy Officer, Wendi Wright — privacy (at) stanford.edu
SoM Information Resources & Technology (IRT) — http://irt.stanford.edu
Created: April 2017
Author: Office of Audit, Compliance, Risk and Privacy, Internal Audit Services — https://acrp.stanford.edu/audit/internal-audit-services
Reviewed by: SME Contacts