Information Privacy & Security: Quick Reference Guide

All of us share responsibility for protecting Stanford systems and data from unauthorized access.

See below for a summary of resources, responsibilities, and important contacts: to help you keep track of your data security obligations, and to give you the answers to any questions you may have.

• University Privacy Office — https://privacy.stanford.edu
• Information Security Office — https://security.stanford.edu
• Risk Classifications — https://dataclass.stanford.edu
• Minimum Security Standards — https://minsec.stanford.edu
• Verifiable Encryption — https://encrypt.stanford.edu
• Information Privacy & Security Quick Reference Guide 

Faculty & Staff Responsibilities

1. Understand the Low, Moderate, and High Risk Data classifications and perform required attestations - https://dataclass.stanford.edu, https://med.stanford.edu/datasecurity/attestation.html
    
   
2. Keep your laptop/desktop software up to date — https://patching.stanford.edu
    
   
3. Verifiably encrypt all of your devices used for Stanford business [this includes keeping them locked with a passcode] — https://encrypt.stanford.edu
    
   
4. Request a Data Risk Assessment for new systems handling High Risk Data — https://dra.stanford.edu
    
   
5. Back up your laptop/desktop — https://med.stanford.edu/irt/security/alldevices/backups.html
     
   
6. Watch the information security awareness video — https://accounts.stanford.edu/manage
     
   
7. Be vigilant for phishing and other social engineering schemes — https://phishing.stanford.edu
     
   
8. Report lost or stolen devices to the University Privacy Office (look for the button marked "Report a Privacy Incident") — https://privacy.stanford.edu
     
   
9. Be familiar with security policies and HIPAA regulations — https://security.stanford.edu
     
   
10. Use Secure: Mail to send High Risk Data from Stanford email.  Add secure: anywhere in the subject line – don't forget to put the colon (:) after "secure" and don't include High Risk Data within the subject itself.
      
    
11. Use Medicine Box for PHI data storage and collaboration — https://med.stanford.edu/box.html
      
    
12. Leaving Stanford? — https://med.stanford.edu/irt/security/security/help/leaving-stanford.html, https://departingpersonnel.stanford.edu

Department Management: Director of Finance and Administration (and/or designee) Responsibilities

Perform periodic monitoring and oversight to ensure faculty and staff roles and responsibilites are performed in compliance with policies and regulations.
 

Penalties for non-compliance:

Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.

     • Administrative Guide: Information Security

     • Risk Classifications

     • Minimum Security Standards

     • Encryption

     • Third-Party Security Requirements

     • Data Sanitization

     • Regulatory: HIPAA