Skip navigation

STANFORD UNIVERSITY

INTERNAL AUDIT & INSTITUTIONAL COMPLIANCE

    • Stanford Information Security Standards & IT Audit

    Introduction

    This is a collection of relevant information and documents regarding Stanford's Information Security Policies, Standards and Guidelines, and IT Audit information assembled by the University's Internal Audit & Institutional Compliance Department.

    Stanford Policies

    University Management has established security policies and procedures to safeguard essential Stanford services, protect the privacy of students, faculty and staff, and comply with contractual requirements and legislation. Some of the most important of these information security standards can be found in Chapter 6 of the Administrative Guide Memos (AGM). The specific policies are:

    <top>

    Stanford Data Classification Guidelines

    Stanford University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic culture.

    Supporting an open, information-sharing environment is driven by the academic mission requires the ability to share information and ideas and to collaborate on the creation of knowledge. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements.

    Information resources are considered to be assets of the University. They are classified according to the risks associated with the data being stored or processed. Data with the highest risk needs the greatest amount of protection to prevent compromise; data at lower risk can be given proportionately less protection. This approach allows Stanford to apply more appropriate levels of resources to the protection of the assets based upon need.

    Three levels of data (or asset) classification have been defined in Administrative Guide Memo #63, Information Security. Restricted is the highest level (requires the highest level of protection); Public is the lowest level defined. This table, the University’s Information Security Data Classification Guidelines, can be used to help determine the appropriate data category.

    <top>

    Stanford Information Security Reviews and Assessments

    Stanford University has to ensure the protection of the University's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture. The Internal Audit Department, along with the Information Security Office conduct Information Security Reviews and Assessments of Administrative, Academic and other systems that process, store, or have access to Restricted Data, as part of an information security program. Due to the ever increasing information security standards (and penalties) imposed by legal, regulatory and sponsor requirements, the University requires an Information Security Assessment of all Administrative and Academic systems that store or process Restricted Data. The Internal Audit Department developed the following Questionnaires as guides to the types of information/documentation requested as part of information security assessments.

    <top>

    Stanford Information Security and System / Application Development

    Stanford  University develops, implements and maintains a vast myriad of Information Systems to (directly and indirectly) support the University’s Academic Mission of teaching, learning and research. The following collection of documents were compiled to provide the university community with an overview of the practices that comprise an effective and appropriate application development guidelines, particularly for systems that process, handle or store Restricted Data.

    For Projects to implement or upgrade Administrative or Academic systems that store, process or handle Restricted Data, information security consultations or assessments should be considered at the following stages:

    • Project Planning & Feasibility Study - high-level review of the intended project and objectives; inclusion of information security considerations.
    • Systems Analysis & Requirements Definition - high-level review of defined functions and operations and mappings to user needs.
    • Request for Proposal (RFP) & Vendor Selection* - development of the information security requirements for RFP consideration, and evaluation of the vendors' information security profiles as part of the vendor selection process and assistance in contract negotiations. In the case of an outsourced provider, evaluation of the ASP Information Security Questionnaire.
    • System Design* - review of the information security design of the application and infrastructure, and review of the project plan.
    • Development and Testing* - Pre-implementation IT Controls reviews and evaluation of test plans.
    • Acceptance & Installation* - Pre-implementation Information Security reviews.
    • On-Going Maintenance - Post-Implementation Project Reviews and/or periodic Information Security / IT Audits.
    Internal Audit is experienced in all phases of system implementation projects, in several roles: project managers, analysts, implementors, developers, integrators and auditors. For more information regarding project management, the Project Management Institute focuses on the needs of project management professionals.

    To schedule a review, or more information, please contact the Internal Audit and Institutional Compliance Department (mail).

    * Prior experiences with successful development/implementation projects involved Internal Audit at these key project stages.

    <top>

    Stanford Information Security Incident Response

    The purpose of information security incident response is to mitigate the effects caused by such an incident and to protect the information resources of the University from future unauthorized access, use or damage.  Stanford recognizes the need to follow established procedures to address situations that may indicate that the security of the University’s information assets may have been compromised, and established University Policies regarding Information Security Incident Response (AGM #67).

    Stanford University Representatives who become aware of an information security incident/emergency should immediately take appropriate action on behalf of the University. In case of a suspected Information Security Incident as described in AGM #67, involving any of the following items*, the University’s Information Security Office (Report an Incident) must be contacted immediately:

    • Social Security Numbers (or other National Identifier Numbers)
    • Credit Card Numbers
    • Bank Account Numbers
    • Driver’s License Numbers
    * PLEASE NOTE: If a compromise of a system containing any of the above items is suspected by an LNA or System Administrator, The University's Incident Response Guidelines require that the administrator NOT perform any diagnostics or attempt to repair the system, in order to preserve the integrity of forensic data. The administrator should disconnect the system from the network and immediately contact the Information Security Office (Report an Incident).

    <top>

    Stanford Procedures Regarding External Auditors

    Stanford is subject to numerous regulations and contract provisions which convey to government agencies and private sponsors the right to audit the University’s books and inspect our facilities and operations.  Stanford is committed to fully comply with its obligations in connection with such audit and inspection rights.
    In general, before any audit or inspection is begun at Stanford by External Agents, they should contact: Stanford’s Department of Internal Audit & Institutional Compliance (mail).

    Please follow this link for general information regarding the University Procedures regarding External Auditors.

    Please follow this procedure for External Auditors requesting access to Stanford's network for Internet or access to University systems.

    <top>

    Stanford Policy Exemption and Risk Assumption

    It is imperative that Stanford University Faculty, Staff and Students comply with all University policies, procedures, standards and guidelines. However, there are circumstances that fall outside the ability to comply with and/or conform to a University policy, procedure, standard or guideline. In such instances, an exception must be formally documented and approved by appropriate University management.

    Please follow this link for additional information regarding the University’s Policy Exception and Risk Assumption Process.

    <top>

    Stanford IT Audit Information

    An IT audit is an examination of the controls within the University's Information Technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. an IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organization's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organization's goals or objectives.

    • Control Objectives for Information and related Technology - (CobiT)
    Internal Audit's IT Audit Team follows the CobiT framework, which is a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT.
    COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

    • Sample IT Audit Workplans
      • Data Center Audit Plan (pdf)  (doc)
      • Project Development Audit Plan (pdf)  (doc)
      • Pre-Implementation Review Session - Agenda (pdf)  (doc)

    <top>

    Related Documents and References

    Stanford  University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic mission of teaching, learning and research. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements. Here are a few related documents and references regarding information security requirements imposed on the University:


    <top>

    Other Information

    How to Encrypt Documents
    Information Security Office’s SecureComputing website
    Stanford’s Essential Stanford Software (ESS)

      <top>


    Last modified
    Wednesday, 30-Apr-2008 10:01:44 PM


     For more information, please contact:
      Eric Nakagawa, an Audit Manager and Information Systems Security Specialist in
    Stanford University's  Internal Audit & Institutional Compliance Department
    (650/736-2247) or eric dot nakagawa at stanford dot edu



    Stanford University Home Page