Help! I Have a Non-Compliance Issue!

What Could Go Wrong?

Questions

  • Have you purchased a new computer or mobile device?
  • If yes, are you retaining the existing device?
  • Is there a computer or mobile device that you're no longer using?

Attestation Issues

  • Have you completed your initial attestation?
  • Have you completed your annual attestation renewal?
  • Is there a mismatch between the number and type of devices on your attestation to the number and type of devices reported on your AMIE page?

Possible Laptop or Desktop Issues

  • it hasn't checked in with BigFix
  • It has checked in but appears to be unencrypted
  • It hasn't checked in for 90 days and has dropped from the system
  • BigFix is reporting in but to the wrong group so AMIE doesn't see it
  • Is there an approved exception that has expired?

Possible Mobile Device Issue

  • Has the device been jailbroken or rooted?
  • Is it running an unsupported operating system?
  • Is it no longer encrypted?

My device can't meet the compliance requirements

  • If your device can't be made compliant because it is dedicated to specialized scientific equipment or a teaching system, it may be eligible for a temporary compliance exception.  Submitting the request does not guarantee it will be approved.  If an exception is granted, you may need to implement specific security measures to compensate for the additional risk of not meeting the standards.

Information Security Compliance Management

There are two of flavors of information security compliance management for School of Medicine personnel.  In SoM, compliance requirements are based on the individual and not on the device.  Your requirements are based on your role and the type of data to which you have access, rather than whether or not there is High Risk data on a specific device.  If you will never receive or access High Risk Data on any device, your compliance will be managed by a UIT system.

First, to report on access to High Risk Data, all School of Medicine personnel must complete a Data Security Attestation at least annually. This required survey requests you to identify whether or not you may work with or might receive High Risk Data, as well as to specify all devices you use for any Stanford work (whether or not the device(s) actually use High Risk Data). Your attestation should be updated any time your affiliation, job or role within the School of Medicine is changed.  Update your AMIE Data and Device Attestation here


School of Medicine Security Requirements Based on Attestation

Action Attest Yes to High Risk Data
Attest No to High Risk Data

AMIE Attestation

Required for all SoM personnel
Required for all SoM personnel
Encryption of Stanford-owned computers SWDE is required to verify
SWDE is required to verify
Encryption of Personally-owned computers SWDE is required to verify Either SWDE or VLRE can be used to verify encryption
Compliance Management Engine SoM AMIE UIT My Devices
MDM for mobile devices
MDM is required,even if not used on the Stanford network MDM is required for devices used on the Stanford network
Backup of laptops/desktops

Daily backups are required.

All backups must be encrypted.

Daily backups are required.

All backups must be encrypted.

Automatic forwarding of @stanford.edu email
Must not auto-forward to anything other than @stanfordmed.org, @stanfordhealthcare.org, @stanfordchildrens.org May auto-forward email  
Unsupported operating systems Must be upgraded, replaced, or have an approved security exception*
Must be upgraded, replaced, or have an approved security exception*
*A Security Exception can be requested for devices that cannot meet security requirements but are used to control scientific equipment or specialized facilities.  Exceptions can be submitted at
https://uit.stanford.edu/security/exception-request