Information Privacy & Security: Quick Reference Guide


All of us share responsibility for protecting Stanford systems and data from unauthorized access.

See below for a summary of resources, responsibilities, and important contacts: to help you keep track of your data security obligations, and to give you the answers to any questions you may have.

Key Resources

Roles and Responsibilities

Faculty & Staff Responsibilities

  1. Understand the Low, Moderate, and High Risk Data classifications and perform required attestations -,
  2. Keep your laptop/desktop software up to date —
  3. Verifiably encrypt all of your devices used for Stanford business [this includes keeping them locked with a passcode] —
  4. Request a Data Risk Assessment for new systems handling High Risk Data —
  5. Back up your laptop/desktop —
  6. Watch the information security awareness video —
  7. Be vigilant for phishing and other social engineering schemes —
  8. Report lost or stolen devices to the University Privacy Office (look for the button marked "Report a Privacy Incident") —
  9. Be familiar with security policies and HIPAA regulations —
  10. Use MedSecureSend to send High Risk Data files, or type “Secure:” in the subject line to send High Risk Data via email —,
  11. Use Medicine Box for PHI data storage and collaboration —
  12. Leaving Stanford? —,

Department Management: Director of Finance and Administration (and/or designee) Responsibilities

Perform periodic monitoring and oversight to ensure faculty and staff roles and responsibilites are performed in compliance with policies and regulations.

Penalties for non-compliance:

Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.

Policies and Regulations

     • Administrative Guide: Information Security

     • Risk Classifications

     • Minimum Security Standards

     • Encryption

     • Third-Party Security Requirements

     • Data Sanitization

     • Regulatory: HIPAA


Document History

Created: April 2017
Author: Office of Audit, Compliance, Risk and Privacy, Internal Audit Services —

Reviewed by: SME Contacts

Quick Links