Information Security Compliance Management

Your AMIE Attestation is the Key

For School of Medicine personnel, information security compliance is based on the person and not on the device.  Your role and the type of data to which you have access determine the requirements, rather than whether or not there is High Risk data on a specific device.

  • • If in your work at Stanford, you may access or receive High Risk Data, your security compliance will be reported by the SoM system, AMIE (Am I Encrypted). 
    • If you will never receive or access High Risk Data on any device, your compliance will be reported by the UIT system, My Devices.

These systems will report your compliance with the security standards for laptops and desktop and mobile devices.  Encryption is the most important thing you can do to protect your data.  AMIE and My Devices receive your encryption verification via software installed on your devices which may include BigFix, Jamf, or AirWatch.  These systems are also used to install critical security patches and can be used to deploy software as well.  Review this TDS page for more information on how BigFix is used in SoM.

What do I do first?

All School of Medicine personnel must first complete a Data Security Attestation. In this survey, you will verify whether you may work with or might receive High Risk Data.  If you attest Yes, you will be asked to specify all devices you use for any Stanford work (whether or not the device(s) actually use High Risk Data). Your attestation should be renewed annually and updated when your affiliation, job or role within the School of Medicine is changed.  Update your AMIE Data and Device Attestation here


The table below reflects how attestation affects the compliance standards that apply to you.

Information Security Requirements Based on Attestation

Action Attest Yes to High Risk Data
Attest No to High Risk Data
AMIE Attestation Required for all SoM personnel
Compliance System SoM AMIE
UIT My Devices
Stanford-owned Computers SWDE is required to verify encryption
Personally-owned Computers SWDE is required to verify encryption Either SWDE or VLRE can be used to verify encryption
Mobile Devices
MDM is required, even if not used on the Stanford network MDM is required for devices used on the Stanford network
Backup of Laptops/Desktops
Daily, encrypted backups are required.
Automatic Forwarding of @stanford.edu Mail
Must not auto-forward to anything other than @stanfordmed.org, @stanfordhealthcare.org, @stanfordchildrens.org May auto-forward email  
Unsupported Operating Systems Must be upgraded, replaced, or have an approved security exception *

* A Temporary Security Exception can be requested for devices that cannot meet security requirements but are used to control scientific equipment or specialized facilities.  Exceptions can be submitted at https://uit.stanford.edu/security/exception-request


How Do I Get There?

Encrypt Computers & Mobile Devices

Encryption is the first step to take to protect your Stanford and personal data, even if your device is lost or stolen.  Stanford security compliance requires verifiable encryption.

The University IT Encryption site will lead you through encryption of your laptop, desktop, or mobile device.

Check My Compliance

If you attest Yes that you may access or receive High Risk Data in the AMIE Attestation survey, your compliance is managed by AMIE (Am I Encrypted).  If you attest No, your compliance is managed by My Devices.

Check your AMIE compliance here

Check your My Devices compliance here

Why is This Required?

Stanford's information security policies are here to help us all ensure critical information resources are protected in compliance with various federal and state regulations.  


How Can This Affect Me?

Every user of any of Stanford's information resources has some responsibility toward the protection of those assets.  Especially in the event of an unauthorized data breach, not only the University but you personally can be held liable.

Back Up My Data

Make sure your files and data are protected and recoverable by having a backup copy.  Backups should be encrypted and done daily.

How is Data Classified?

Stanford has classified its information assets into risk-based categories for the purpose of managing the controls and precautions that must be taken to protect this information.


Need Assistance?

If you need assistance or information on any of these items, please contact the TDS Service Desk at 650-725-8000 or submit a ticket from tdshelp.stanford.edu