Help! I Have a Non-Compliance Issue!

What Could Go Wrong?

Questions

  • Have you purchased a new computer or mobile device?
  • If yes, are you retaining the existing device?
  • Is there a computer or mobile device that you're no longer using?

Attestation Issues

  • Have you completed your initial attestation?
  • Have you completed your annual attestation renewal?
  • Is there a mismatch between the number and type of devices on your attestation to the number and type of devices reported on your AMIE page?

Possible Laptop or Desktop Issues

  • it hasn't checked in with BigFix
  • It has checked in but appears to be unencrypted
  • It hasn't checked in for 90 days and has dropped from the system
  • BigFix is reporting in but to the wrong group so AMIE doesn't see it
  • Is there an approved exception that has expired?

Possible Mobile Device Issue

  • Has the device been jailbroken or rooted?
  • Is it running an unsupported operating system?
  • Is it no longer encrypted?

My device can't meet the compliance requirements

  • If your device can't be made compliant because it is dedicated to specialized scientific equipment or a teaching system, it may be eligible for a temporary compliance exception.  Submitting the request does not guarantee it will be approved.  If an exception is granted, you need to implement specific security measures to compensate for the additional risk of not meeting the standards.

Information Security Compliance Management

In the School of Medicine, compliance requirements are based on the individual and not on the device.  Requirements are based on your role and the type of data to which you have access, rather than whether there is High Risk Data on a specific device. 

All School of Medicine personnel must complete the AMIE ("AM I Encrypted") Data Security Attestation at least annually. This required survey asks you to identify whether you may work with or might receive High Risk Data, and if yes, to specify all devices you use for any Stanford work (whether or not these device(s) actually contain High Risk Data). Your attestation should be updated any time your affiliation, job or role within the School of Medicine is changed.  Update your AMIE Data and Device Attestation here

Note, there are certain groups of individuals who MUST attest Yes in AMIE due to their role and their eventual access to High Risk Data.  These include:

• Residents/Fellows/GME
• Medical Students
• Students in MS Physician Assistant Studies
• MD/PhD Students
• System administrators or individuals with privileged access to computers with High Risk Data.
• Departmental staff with access to personally identifiable information for students, staff, and faculty

If you will never receive or access High Risk Data on any device, your compliance will be managed by the UIT My Devices system.


School of Medicine Security Requirements Based on Attestation

Action If You Attest YES to High Risk Data
If You Attest NO to High Risk Data

Complete an AMIE Attestation

Required for all SoM personnel
Required for all SoM personnel
Encrypt Stanford-owned computers SWDE is required to verify encryption
SWDE is required to verify encryption
Encryption of Personally-owned computers SWDE is required to verify encryption Either SWDE or VLRE can be used to verify encryption
Compliance Management Engine Your device compliance is managed by SoM AMIE Your device compliance is managed by UIT My Devices
MDM for mobile devices used for Stanford work
MDM is required, even if not used on the Stanford network MDM is required for devices used on the Stanford network
Backup of laptops/desktops

Daily backups are required by minimum security standards.

All backups must be encrypted.

Daily backups are required by minimum security standards.

All backups must be encrypted.

Automatic forwarding of @stanford.edu email
Can auto-forward to only
  @stanfordmed.org 
  @stanfordhealthcare.org
  @stanfordchildrens.org
May auto-forward email  
Unsupported operating systems Must be upgraded, replaced, or have an approved security exception*
Must be upgraded, replaced, or have an approved security exception*
*A Security Exception can be requested for devices that cannot meet security requirements but are used to control scientific equipment or specialized facilities.  Exception requests can be submitted at
https://uit.stanford.edu/security/exception-request.  Technical controls will be required to continue using these devices.