Stanford Information Security Standards & IT Audit
On this page:
Introduction
This is a collection of relevant information and documents regarding
Stanford's Information Security Policies, Standards and Guidelines, and
IT Audit information
assembled by the University's Internal Audit & Institutional
Compliance Department.
Stanford Policies
University Management has established security policies and
procedures to safeguard essential Stanford services, protect the
privacy of students, faculty and staff, and comply with contractual
requirements and legislation. Some of the most important of these
information security standards can be found in Chapter 6
of the
Administrative Guide Memos (AGM). The specific policies are:
- AGM #61 – Administrative Computing Systems
- AGM #62 – Computer and Network Usage
- AGM #63 – Information Security
- AGM #64 – Identification and Authentication Systems
- AGM #65 – Electronic Commerce
- AGM #66 – Chat Rooms and Other Forums
- AGM #67 – Information Security Incident Response
<top>
Stanford Data Classification Guidelines
Stanford University is committed to protecting its information
resources from accidental or intentional intrusion or damage and is
equally committed to preserving and nurturing the open,
information-sharing requirements of its
academic culture.
Supporting an open, information-sharing environment is driven by the
academic mission requires the ability to share information and ideas
and to collaborate on the creation of knowledge. Protecting information
assets is driven
by a variety of considerations including legal, academic, financial and
other business requirements.
Information resources are considered to be assets of the University. They are classified according to the risks associated with the data being stored or processed. Data with the highest risk needs the greatest amount of protection to prevent compromise; data at lower risk can be given proportionately less protection. This approach allows Stanford to apply more appropriate levels of resources to the protection of the assets based upon need.
Three levels of data (or asset) classification have been defined in Administrative Guide Memo #63, Information Security. Restricted is the highest level (requires the highest level of protection); Public is the lowest level defined. This table, the University’s Information Security Data Classification Guidelines, can be used to help determine the appropriate data category.
<top>
Stanford Information Security Reviews and Assessments
Stanford University has to ensure the protection of the University's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture. The Internal Audit Department, along with the Information Security Office conduct Information Security Reviews and Assessments of Administrative, Academic and other systems that process, store, or have access to Restricted Data, as part of an information security program. Due to the ever increasing information security standards (and penalties) imposed by legal, regulatory and sponsor requirements, the University requires an Information Security Assessment of all Administrative and Academic systems that store or process Restricted Data. The Internal Audit Department developed the following Questionnaires as guides to the types of information/documentation requested as part of information security assessments.- ASP (Application Service Providers) Preliminary Information Security Questionnaire (pdf)
- Stanford Information Security Review / Assessment Questionnaire
- Sample
Information Security Assessment Agenda
<top>
Stanford Information Security and System /
Application Development
Stanford University develops, implements and maintains a vast
myriad of Information Systems to (directly and indirectly) support the
University’s Academic Mission of teaching, learning and research.
The following collection of documents were compiled to provide the
university community with an overview of the practices that comprise an
effective and appropriate application development guidelines,
particularly for systems that process, handle or store Restricted Data.- Stanford Information Security Office Guidelines for Administrative Systems
- Data Security Requirements for Different Environments in the System Development Lifecycle (SDLC)
- Administrative Systems’ Information Security Guidelines and Standards
- University Guidelines for Outsourced Solutions
- Outsourced System Development Technical Standards &
Guidelines (Detailed)
- Internal Audit Report on Data Privacy Issues of Application Development Environments (pdf)
- Open Web Application Security Project (OWASP) Top Ten Most Critical Web Application Security Flaws (Top10)
- Project
Planning & Feasibility Study - high-level review of
the intended project and objectives; inclusion of information security
considerations.
- Systems Analysis & Requirements Definition - high-level review of defined functions and operations and mappings to user needs.
- Request for Proposal (RFP) & Vendor Selection* - development of the information security requirements for RFP consideration, and evaluation of the vendors' information security profiles as part of the vendor selection process and assistance in contract negotiations. In the case of an outsourced provider, evaluation of the ASP Information Security Questionnaire.
- System Design* - review of the information security design of the application and infrastructure, and review of the project plan.
- Development and Testing* - Pre-implementation IT Controls reviews and evaluation of test plans.
- Acceptance
& Installation* - Pre-implementation Information
Security reviews.
- On-Going Maintenance - Post-Implementation Project Reviews and/or periodic Information Security / IT Audits.
To schedule a review, or more information, please contact the Internal Audit and Institutional Compliance Department (mail).
* Prior experiences with successful development/implementation projects involved Internal Audit at these key project stages.
<top>
Stanford Information Security Incident Response
The purpose of information security incident response is to mitigate
the effects caused by such an incident and to protect the information
resources of the University from future unauthorized access, use or
damage. Stanford recognizes the need to follow established
procedures to address situations that may indicate that the security of
the University’s information assets may have been compromised,
and established University Policies regarding Information Security
Incident Response (AGM
#67).Stanford University Representatives who become aware of an information security incident/emergency should immediately take appropriate action on behalf of the University. In case of a suspected Information Security Incident as described in AGM #67, involving any of the following items*, the University’s Information Security Office (Report an Incident) must be contacted immediately:
- Social Security Numbers (or other National Identifier Numbers)
- Credit Card Numbers
- Bank Account Numbers
- Driver’s License Numbers
<top>
Stanford Procedures Regarding External Auditors
Stanford is subject to numerous regulations and contract provisions which convey to government agencies and private sponsors the right to audit the University’s books and inspect our facilities and operations. Stanford is committed to fully comply with its obligations in connection with such audit and inspection rights.In general, before any audit or inspection is begun at Stanford by External Agents, they should contact: Stanford’s Department of Internal Audit & Institutional Compliance (mail).
Please follow this link for general information regarding the University Procedures regarding External Auditors.
Please follow this procedure for External Auditors requesting access to Stanford's network for Internet or access to University systems.
<top>
Stanford Policy Exemption and Risk Assumption
It is imperative that Stanford University Faculty, Staff and Students comply with all University policies, procedures, standards and guidelines. However, there are circumstances that fall outside the ability to comply with and/or conform to a University policy, procedure, standard or guideline. In such instances, an exception must be formally documented and approved by appropriate University management.Please follow this link for additional information regarding the University’s Policy Exception and Risk Assumption Process.
<top>
Stanford IT Audit Information
An IT audit is an examination of the controls within the University's Information Technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. an IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organization's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organization's goals or objectives.- Control Objectives for Information and related Technology - (CobiT)
COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
- Sample IT Audit Workplans
<top>
Related Documents and References
Stanford University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic mission of teaching, learning and research. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements. Here are a few related documents and references regarding information security requirements imposed on the University:- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Graham-Leach-Bliley Act of 1999 (GLBA)
- California Civil Code 1798.82-85 (aka SB-1386)
- Payment Card Industry Data Security Standards (PCI-DSS_v1.1)
- http://ecommerce.stanford.edu/
- https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
- PCI Self-Assessment Questionnaire -
- Digital Millennium Copyright Act of 1998 (DMCA)
- http://lcweb.loc.gov/copyright/legislation/dmca.pdf
- Residential Computing Overview of DMCA (http://rescomp.stanford.edu/info/dmca/)
- Other Software Licensing and Copyright issues
- Stanford Report Article
- (11/29/06)
<top>
Other Information
How to Encrypt DocumentsInformation Security Office’s SecureComputing website
Stanford’s Essential Stanford Software (ESS)
<top>
Last modified
Wednesday, 30-Apr-2008 10:01:44 PM
Stanford
(650/736-2247) or eric dot nakagawa at
stanford dot
edu


