Security Assessments

All servers on campus must meet School of Medicine minimum security standards. You will need to make sure that you're following Stanford policies about keeping the data properly secured; the requirements vary based on the risk of the data. 

System administrators/owners are responsible to ensure their servers meet these standards.  You may also choose to have your server moved to a data center and managed by TDS to ensure standards are being met. Read the information below to determine whether your server is secure in its current location, and whether IRT Information Security Services should help you move the server into the data center.

All servers at the School of Medicine must also be entered into SUSI (Stanford University System Inventory). SUSI keeps track of all the servers on campus, automatically verifying many minimum security standards and identifying possible compliance issues.  More About SUSI »

There are three levels of classification for Stanford data: High Risk, Moderate Risk, and Low Risk.

If you are running a server that stores any information that is defined as High Risk

  • Social Security Numbers
  • Credit Card Numbers
  • Financial Account Numbers, such as checking or investment account numbers
  • Driver’s License Numbers
  • Health Insurance Policy ID Numbers
  • Health Information and other PHI

— you must have permission from the the Information Security Office (ISO) and the University Privacy Office (UPO) to be storing it on your computer. If you are storing any information that is High Risk, Moderate Risk, or Low Risk, you must encrypt the computer it is stored on, and you must follow Stanford's security procedures. (See this handy chart of the minimum security requirements for servers.)

To find out whether your current server is adequately secured, or to obtain permission for handling High Risk data for a new project, you should go through Stanford Secure Computing's Data Risk Assessment questionnaire.   Keeping a server properly secured on your own can be difficult, and it may well be to your advantage to have it hosted in IRT's secure data center.

IRT Server Hosting

If you've determined that your server should be located in the data center, contact IRT Security. Someone will arrange a time to sit down with you, go through a security questionnaire and assessment, and help you with the server move. For more information about IRT's hosting and system administration requirements and services, visit the IRT server management page.