Information Security
H&S IT is committed to supporting the initiatives of the Information Security Office (ISO) and working within the H&S community to help protect our research and systems.
Learn more about our initiatives:
Minimum Security Standards
Stanford's security requirements vary based on the type of data that a system interacts with. For systems that handle the most sensitive sorts of data (examples: donor information, protected health information, and social security numbers), our requirements are much more stringent than they are for systems that enable research using public data. Stanford's Data Classification webpage provides guidance and examples on the different types of data. If you have high risk data, the Information Security Office and University Privacy Office can help you determine appropriate controls through their Data Risk Assessment process. The first step is an online pre-screening form, and we recommend that all new systems or data sets complete this pre-screening process. Depending on the results of the pre-screening, a follow up meeting may be required.
Once you know how your data is classified, Stanford has separate security standards for endpoints, servers, applications, cloud infrastructure, and cloud platforms and applications that call out specific controls appropriate to each type of system.
The Research Policy Handbook has additional guidance on information security standards for research systems.
Healthy Devices (Secure Endpoints)
University IT recently launched a the Healthy Devices initiative. You can read more about the components of the healthy devices initiative. All devices that are requested through H&S are set up by the CRC to run securely. This means that they are registered on Stanford's network, are part of Stanford's Endpoint Management framework, get patched automatically, are encrypted, and have anti-malware technology installed. Your devices will be in line with the Healthy Devices initiative.
If you have additional systems for your lab or research group that you need set up, please contact the CRC to have them set up securely. Additional charges may apply to setup computers not currently covered under the H&S support contract.
Network Scanning & Vulnerability Remediation
Using Qualys, Stanford's Information Security Office scans of all Stanford networks monthly to identify information security vulnerabilities. H&S IT works with CRC and local systems administrators to address any high severity findings via outreach, advising on remediations, and verifying that fixes addressed any vulnerabilities. If a security vulnerability is discovered on one of your systems, we ask that you act quickly to address it; the Information Security Office requires that high severity vulnerabilities be addressed within 7 days of discovery. The most common fixes are patching the system or updating configuration settings. Since, October 2018, we've worked with the H&S community to eliminate almost 2/3 of the high severity vulnerabilities among H&S servers and storage devices.
If you are interested in running your own scans (to augment those run centrally), please request a Qualys account.
Networks for Difficult-to-Secure Devices
There are devices, whether connected to experimental equipment or running an embedded operating system, where normal patching procedures are not possible or make vendor support impossible. In some cases, the Information Security Office will grant compliance exceptions.
H&S IT is working with UIT Networking and the Information Security Office to create dedicated networks for hard to secure devices. These networks have tighter firewall rules and monitoring to ensure that risk is minimized and the impact of a compromised computer is limited. As part of this service, we will also ensure that compliance exceptions are granted. We are currently in testing, but look forward to rolling this service out to H&S labs. If you are interested in this service, please request an IT Consultation.
Firewall Reviews
H&S IT will work with you to review the firewall rules for your department or program, make recommendations about rules to refine or remove, and help you work through the process with the UIT Networking team. Our goal is to reduce the attack surface (number of systems and number of ports on those systems) open to the internet while not impeding research or pedagogy. To get this process started, please request an IT Consultation.
Incident Response
H&S IT works with Stanford's Information Security and Privacy offices to respond to any Security Incident that takes place in the School of Humanities & Sciences. To report an Information Security incident (such as website defacement, denial of service attack, or compromised computer or user account), please submit a Service Now ticket to the Information Security Office via Service Now. In case of a lost or stolen device, use this form to contact the University Privacy Office.