Information Privacy & Security: Quick Reference Guide

Overview

All of us share responsibility for protecting Stanford systems and data from unauthorized access.

See below for a summary of resources, responsibilities, and important contacts: to help you keep track of your data security obligations, and to give you the answers to any questions you may have.

Key Resources

      • University Privacy Office — https://privacy.stanford.edu

      • Information Security Office — https://security.stanford.edu

      • Risk Classifications — https://dataclass.stanford.edu

      • Minimum Security Standards — https://minsec.stanford.edu

      • Verifiable Encryption — https://encrypt.stanford.edu

Roles and Responsibilities

Faculty & Staff Responsibilities

  1. Understand the Low, Moderate, and High Risk Data classifications and perform required attestations - https://dataclass.stanford.edu, https://med.stanford.edu/datasecurity/attestation.html
     
  2. Keep your laptop/desktop software up to date — https://patching.stanford.edu
     
  3. Verifiably encrypt all of your devices used for Stanford business [this includes keeping them locked with a passcode] — https://encrypt.stanford.edu
     
  4. Request a Data Risk Assessment for new systems handling High Risk Data — https://dra.stanford.edu
     
  5. Back up your laptop/desktop — https://irt.stanford.edu/security/backups.html
      
  6. Watch the information security awareness video — https://accounts.stanford.edu/manage
      
  7. Be vigilant for phishing and other social engineering schemes — https://phishing.stanford.edu
      
  8. Report lost or stolen devices to the University Privacy Office — https://privacy.stanford.edu
      
  9. Be familiar with security policies and HIPAA regulations — https://security.stanford.edu
      
  10. Use MedSecureSend to send High Risk Data files, or type “Secure:” in the subject line to send High Risk Data via email — https://irt.stanford.edu/security/mss.html, https://secureemail.stanford.edu
      
  11. Use Medicine Box for PHI data storage and collaboration — https://med.stanford.edu/box.html
      
  12. Leaving Stanford? — https://irt.stanford.edu/security/leaving-stanford.html, https://departingpersonnel.stanford.edu


Department Management: Director of Finance and Administration (and/or designee) Responsibilities

Perform periodic monitoring and oversight to ensure faculty and staff roles and responsibilities are performed in compliance with policies and regulations.
 

Penalties for non-compliance:

Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.

Policies and Regulations

     • Administrative Guide: Information Security

     • Risk Classifications

     • Minimum Security Standards

     • Encryption

     • Third-Party Security Requirements

     • Data Sanitization

     • Regulatory: HIPAA

Questions? Subject Matter Experts (SME) Contacts

University Information Security Office — https://security.stanford.edu
Chief Information Security Officer, Michael Duffsecurityofficer (at) stanford.edu

University Privacy Office — https://privacy.stanford.edu

Chief Privacy Officer, Wendi Wright —  privacy (at) stanford.edu

SoM Information Resources & Technology (IRT) http://irt.stanford.edu

     

Document History

Created: April 2017
Author: Office of Audit, Compliance, Risk and Privacy, Internal Audit Services — https://acrp.stanford.edu/audit/internal-audit-services

Reviewed by: SME Contacts

Quick Links