Skip to main content

Minimum Security Standards

Stanford is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the university's mission.

These standards are intended to reflect the minimum level of care necessary for Stanford's sensitive data. They do not relieve Stanford or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. University schools, departments, or organizations may impose more restrictive requirements. 

Stanford expects all partners, consultants, and vendors to abide by Stanford's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security policies. 

You are encouraged to begin adopting these standards, prioritizing your systems by risk level. As cybersecurity is a rapidly evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly.

Special note to Stanford researchers: See Research Policy Handbook Section 1.10 for information security practices and guidelines specific to research computing systems.

An endpoint is defined as any laptop, desktop, or mobile device.

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but utilized to access a High Risk application is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard your endpoints.
StandardRecurring TaskWhat to doLow RiskModerate RiskHigh Risk
PatchingRecurring TaskApply security patches within seven days of publish. BigFix is recommended. Use a supported OS version.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Whole Disk Encryption Enable FileVault2 for Mac, BitLocker for Windows. SDR is recommended. Install MDM on mobile devices.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Malware Protection Install antivirus (Recommended: CrowdStrike or Microsoft Defender for Windows, Crowdstrike for Mac).Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Backups Back up user data at least daily. University IT CrashPlan is recommended (option to set personal password). Encrypt backup data in transit and at rest.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
InventoryRecurring TaskReview and update NetDB records quarterly. Maximum of one node per NetDB record.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Configuration Management Install BigFix  ,  Jamf and SDR.  Required for High Risk Data
Regulated Data Security Controls Implement PCI DSS, HIPAA, or export controls as applicable.  Required for High Risk Data

A server is defined as a host that provides a network accessible service.

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, a server running a Low Risk application but storing High Risk Data is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard your servers.
StandardRecurring TaskWhat to doLow RiskModerate RiskHigh Risk
PatchingRecurring TaskBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported OS version.Required for low risk serversRequired for moderate risk serversRequired for high risk servers
Vulnerability ManagementRecurring TaskPerform a monthly Qualys scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.Required for low risk serversRequired for moderate risk serversRequired for high risk servers
InventoryRecurring TaskReview and update NetDB, SUSI, and  department/MinSec inventory records quarterly. Maximum of one node per NetDB record.Required for low risk serversRequired for moderate risk serversRequired for high risk servers
Firewall Enable host-based firewall in default deny mode and permit the minimum necessary services.Required for low risk serversRequired for moderate risk serversRequired for high risk servers
Credentials and Access ControlRecurring TaskReview existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via Kerberos recommended.Required for low risk serversRequired for moderate risk serversRequired for high risk servers
Two-Step Authentication Require Duo two-step authentication for all user and administrator logins. Required for moderate risk serversRequired for high risk servers
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended. Required for moderate risk serversRequired for high risk servers
Sysadmin TrainingRecurring TaskAttend at least one Stanford Information Security Academy training course annually. Required for moderate risk serversRequired for high risk servers
Malware ProtectionRecurring TaskDeploy Crowdstrike. Review alerts as they are received. Required for moderate risk serversRequired for high risk servers
Intrusion DetectionRecurring TaskDeploy  OSSEC or Tripwire. Review alerts as they are received. Required for moderate risk serversRequired for high risk servers
Physical Protection Place system hardware in a data center. Required for moderate risk serversRequired for high risk servers
Secure Admin Workstation Access administrative accounts only through a Privileged Access Workstation (PAW) or Cardinal Protect workstation. A PAW is required for ring0 access.  Required for high risk servers
Security, Privacy, and Legal Review Follow the Data Risk Assessment process and implement recommendations prior to deployment.  Required for high risk servers
Regulated Data Security Controls Implement PCI DSS, HIPAA, or export controls as applicable.  Required for high risk servers

An application is defined as software running on a server that is remotely accessible, including mobile applications.

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an application providing access to Low Risk Data but running on a High Risk server is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard your applications.
StandardRecurring TaskWhat to doLow RiskModerate RiskHigh Risk
PatchingRecurring TaskBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.Required for low risk applicationsRequired for moderate risk applicationsRequired for high risk applications
Vulnerability ManagementRecurring TaskPerform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.Required for low risk applicationsRequired for moderate risk applicationsRequired for high risk applications
InventoryRecurring TaskReview and update department/MinSec Application inventory records quarterly. Must indicate associated risk classification and data volume estimates.Required for low risk applicationsRequired for moderate risk applicationsRequired for high risk applications
Firewall Permit the minimum necessary services through the network firewall.Required for low risk applicationsRequired for moderate risk applicationsRequired for high risk applications
Credentials and Access ControlRecurring TaskReview existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via WebAuth/SAML recommended.Required for low risk applicationsRequired for moderate risk applicationsRequired for high risk applications
Two-Step Authentication Require Duo two-step authentication for all user and administrator logins. Required for moderate risk applicationsRequired for high risk applications
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended. Required for moderate risk applicationsRequired for high risk applications
Secure Software Development Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. Required for moderate risk applicationsRequired for high risk applications
Developer TrainingRecurring TaskAttend at least one Stanford Information Security Academy training course annually. Required for moderate risk applicationsRequired for high risk applications
Backups Back up application data at least weekly. Encrypt backup data in transit and at rest. Required for moderate risk applicationsRequired for high risk applications
Secure Admin Workstation Access administrative accounts only via a Privileged Access Workstation (PAW) or Cardinal Protect workstation. A PAW is required for ring0 access.  Required for high risk applications
Security, Privacy, and Legal Review Follow the Data Risk Assessment process and implement recommendations prior to deployment.  Required for high risk applications
Regulated Data Security Controls Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.  Required for high risk applications

Computing Equipment

Any Stanford or non-Stanford desktop or portable device or system

Masked number

(i) A credit card primary account number (PAN) has no more than the first six and the last four digits intact, and (ii) all other Prohibited or Restricted numbers have only the last four intact. See the entire PCI DSS 4.0 Standard (if you are willing to agree to some terms).

Minimum Privacy Standards (MinPriv)

The Minimum Privacy Standards are intended to reflect best practices for the collection, processing, transfer, deletion and other use of personal data at Stanford.

NIST-Approved Encryption

The National Institute of Standards and Technology (NIST) develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect Stanford's data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.

Payment Card Industry Data Security Standards

The practices used by the credit card industry to protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process, store, or have access to Stanford's Prohibited or Restricted data. The most recent version of the PCI DSS is available here.

Protected Health Information (PHI)

All individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Office.

Qualified Machine

A computing device located in a secure Stanford facility and with access control protections that meet the Payment Card Industry Data Security Standards.

Student Records

Information required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA). Student Records include Stanford-held student transcripts (official and unofficial), and Stanford-held records related to (i) academic advising, (ii) health/disability, (iii) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student. Applications for student admission are not considered to be Student Records unless and until the student attends Stanford.

General Questions

Unit / WebsiteHelp
Privacy OfficeSubmit help request
Information Security OfficeSubmit help request

Suspected Information Security Incident

Unit / WebsiteHelp
Information Security OfficeSubmit help ticket

Report Lost or Stolen Device

Unit / WebsiteHelp
Privacy OfficeSubmit report

Back to top

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy