Eric Nakagawa - University IS Standards

Stanford Information Security Procedures -
File Encryption Instructions

There are laws, both Federal (e.g., HIPAA, FERPA) and State (e.g., Social Security Numbers, Credit Card / Bank Account), and contractual obligations (e.g. PCI-DSS- Credit Cards, Research - nonpublic data sets) which Stanford University may be held liable if personal or confidential information was compromised. Weigh the consequences when you are saving Restricted (personal or confidential) Data. A key question to ask is,"Do I really need to save Restricted Data on my system, and what would happen if an unauthorized person gained control of this?

The only "guaranteed" way to prevent unauthorized people from viewing confidential data is to encrypt it. The two basic approaches are: 1) to encrypt individual files and/or folders that contain sensitive information, or 2) to encrypt the entire disk or device. If a system with encrypted data disk be lost of stolen, there is an extremely low probability that the confidential data it contains could ever be viewed by an unauthorized person. Preventing access to Restricted Data via use of encryption can allow Stanford to obtain a "safeharbor status" and comply with applicable State, Federal and International laws.

Caveats:

Use "good" passwords. For additional information regarding the creation of "good" passwords, please see - http://unixdocs.stanford.edu/passwords.html
All encrypted data can be permanently lost if the encryption key (or pasword / passphrase) is lost.

How to encrypt certain file types:
Please be aware that these are limited, point-solutions to encrypt individual files, or a small group of files. These are not meant to be University-wide recommendations or solutions. If you transmit an encrypted file to someone else, please do not send the password via the same medium. (e.g., if you email an encrypted file to someone, do not also send the password by email.)

Microsoft Excel Spreadsheets   ( html )   ( pdf )
   MS Office version 2002, a.k.a Office XP, and newer

Microsoft Word Documents    ( html )   ( pdf )
   MS Office version 2002, a.k.a Office XP, and newer

WinZip (ver. 9) Archive Files    ( html )   ( pdf )
    WinZip version 9.0, and newer

Microsoft Windows Encrypted File System ( EFS )
    MS Windows version 2000 through XP Professional

Other Document Types - tbd

For additional information regarding Encryption information please see: ISO's page on Mobile Computing Security.

For more information, please contact:
Eric Nakagawa in Stanford University's Internal Audit & Institutional Compliance Department (650/736-2247) or eric dot nakagawa at stanford dot edu.