Endpoint Security: Start with the Basics
Your AMIE Attestation is the Key
We all share responsibility for protecting Stanford systems and information from unauthorized access. In the School of Medicine, security requirements are based on an individual's role and type of data they may access or receive, rather than the actual data stored on their endpoints.
Each School of Medicine affiliate must complete the AMIE ("AM I Encrypted") Data Security Attestation at least annually. This required survey asks whether you may work with or receive High Risk Data, and if yes, to specify all devices you use for any Stanford work (whether or not these device(s) actually contain sensitive data). Your attestation should be updated whenever your affiliation, job, or role within the School of Medicine is changed.
Roles with Special Requirements
Some School of Medicine personnel have expanded responsibilities for information security based on the nature of their roles. These users will all eventually be exposed to High Risk data such as PHI or PII so must attest Yes in AMIE.
Details about requirements for special roles that may affect you.
School of Medicine Enhanced Security Precautions
School of Medicine information security policies may be more rigorous than those in other University Schools or Departments based on the many types of sensitive data in use and the risk that presents.
Quick Topics
First Steps
Know Your Data Risk Classifications
Stanford classifies its information assets into risk-based categories to ensure appropriate security precautions protect it from unauthorized access or disclosure. High Risk data includes but is not limited to PHI – loss of regulated or sensitive data that may have significant impact on the University and individual personnel or subjects.
Minimum Security Requirements
The University's minimum security standards were developed to reflect the controls required to appropriately protect information that may present risk to the University if lost or disclosed. More restrictive precautions are needed to protect information that presents greater risk to the individuals at the University as well as to Stanford as an organization.
These apply to endpoint computers and mobile devices as well as servers, cloud repositories and platforms, and appliances or other IoT devices.
Complete Your AMIE Attestation
School of Medicine information security compliance is based on the person and not the device. Your role and the type of data to which you have access determine the requirements, rather than whether High Risk data is on a specific device.
• If in your work at Stanford, you may access or receive High Risk Data, your must attest Yes and your security compliance will be reported by the SoM system, AMIE (Am I Encrypted).
• If you will never receive or access High Risk Data on any device, your may attest No and your compliance will be reported by the UIT system, My Devices.
Next: How Does Compliance Affect Me?
AMIE vs My Devices
AMIE - developed by the School of Medicine and after attestation, is used to report on the compliance for devices used by individuals who attest Yes that they may access or receive High Risk Data
My Devices - developed by University IT and applies to SoM users who attest No in AMIE that they may access or receive High Risk Data, as well as to all other non-SoM personnel at Stanford.
Personally-Owned Devices vs Stanford-Purchased Devices
In the School of Medicine, information security protections are applied to devices used for Stanford work, regardless of who actually purchased them. This means that security requirements also apply to all devices which are personally-owned by faculty/staff/students/affiliates if they are used for Stanford work.
Devices that are not used to handle High Risk data are still subject to current information security compliance requirements.
Secure Your Devices
Encrypt Computers and Mobile Devices
Encryption is the best first step to protect personal and Stanford data on your laptops, desktops, and mobile devices - even if your device is lost or stolen. Stanford security requires verifiable encryption. BigFix, Jamf, and Workspace ONE are tools that verify the encrypted state of your devices.
Secure Other Devices Too
All devices, not only laptop/desktop computers and mobile devices should also be securely configured.
This includes servers, cameras, appliances, external drives, and other shared devices.
Use Current Versions of Operating Systems and Applications
Keep the operating systems and applications for your devices up to date. Updated security patches limit the risk of compromise by exploitations of system vulnerabilities.
Special purpose equipment
Computers that manage scientific and other special purpose equipment cannot always be encrypted. TDS Field Support can work with you to ensure that technical controls minimize the risk to your equipment and your research even if it cannot be made fully compliant with security standards.
Computer Backups (CrashPlan)
The University's security standards require laptops and desktops to have encrypted backups done daily. The School of Medicine provides CrashPlan licenses for SoM personnel at no cost to you. You can also add a secondary personal password to access your backup.
Protect Your Credentials and Devices
Minimize the risk of your credentials being compromised:
- Look out for phishing or other social engineering schemes
- Keep your software up to date
- Be sure to back up your devices
- Encrypt your devices
- Be careful about downloads or links that may have malware
Keep Up the Good Work!
Monitor Your Compliance
Review and respond to compliance notifications from AMIE and/or My Devices to keep your devices secure.
Report Lost or Missing Devices
Report lost devices to the University Privacy Office as soon as possible.
This includes laptop/desktop, mobile device, external storage device (USB drive, flash drive, camera memory card)
Dispose/remove old equipment
Each department has a Departmental Property Administrator who is familiar with the procedures needed to dispose of old property. Typically, this person can assist with removing it from inventory and arranging for pick up by Surplus Property.
Stanford proprietary data must be deleted prior to disposal.
Additional guidance from the Property Management Office and the UIT Computer Equipment Transfer/Disposal page.
Leaving Stanford
Whether graduating or taking a new position outside of Stanford, it is important to to address the computing devices and applications you use and the data you may retain or need to eliminate.