Information Security Compliance Management
Your AMIE Attestation is the Key
For School of Medicine personnel, information security compliance is based on the person and not on the device. Your role and the type of data to which you have access determine the requirements, rather than whether or not there is High Risk data on a specific device.
- • If in your work at Stanford, you may access or receive High Risk Data, your security compliance will be reported by the SoM system, AMIE (Am I Encrypted).
• If you will never receive or access High Risk Data on any device, your compliance will be reported by the UIT system, My Devices.
These systems will report your compliance with the security standards for laptops and desktop and mobile devices. Encryption is the most important thing you can do to protect your data. AMIE and My Devices receive your encryption verification via software installed on your devices which may include BigFix, Jamf, or AirWatch. These systems are also used to install critical security patches and can be used to deploy software as well. Review this TDS page for more information on how BigFix is used in SoM.
What do I do first?
All School of Medicine personnel must first complete a Data Security Attestation. In this survey, you will verify whether you may work with or might receive High Risk Data. If you attest Yes, you will be asked to specify all devices you use for any Stanford work (whether or not the device(s) actually use High Risk Data). Your attestation should be renewed annually and updated when your affiliation, job or role within the School of Medicine is changed. Update your AMIE Data and Device Attestation here
The table below reflects how attestation affects the compliance standards that apply to you.
Information Security Requirements Based on Attestation
|Action||Attest Yes to High Risk Data
||Attest No to High Risk Data
|AMIE Attestation||Required for all SoM personnel|
|Compliance System||SoM AMIE
||UIT My Devices
|Stanford-owned Computers||SWDE is required to verify encryption
|Personally-owned Computers||SWDE is required to verify encryption||Either SWDE or VLRE can be used to verify encryption
||MDM is required, even if not used on the Stanford network||MDM is required for devices used on the Stanford network
|Backup of Laptops/Desktops
||Daily, encrypted backups are required.|
|Automatic Forwarding of @stanford.edu Mail
||Must not auto-forward to anything other than @stanfordmed.org, @stanfordhealthcare.org, @stanfordchildrens.org||May auto-forward email|
|Unsupported Operating Systems||Must be upgraded, replaced, or have an approved security exception *
* A Temporary Security Exception can be requested for devices that cannot meet security requirements but are used to control scientific equipment or specialized facilities. Exceptions can be submitted at https://uit.stanford.edu/security/exception-request
How Do I Get There?
Encrypt Computers & Mobile Devices
Encryption is the first step to take to protect your Stanford and personal data, even if your device is lost or stolen. Stanford security compliance requires verifiable encryption.
The University IT Encryption site will lead you through encryption of your laptop, desktop, or mobile device.