Skip navigation

STANFORD UNIVERSITY

INTERNAL AUDIT & INSTITUTIONAL COMPLIANCE

    • Stanford IT Audit and Information Security Standards

    Introduction

    The Information Security & IT Audit team of the Internal Audit & Institutional Compliance Department specialize in the IT and IS control areas of the University, Stanford Hospital & Clinics and Lucile Packard Children's Hospital.
    We have assembled a collection of relevant information and documents regarding Stanford's Information Security Policies, Standards and Guidelines, and IT Audit information.

    Stanford Policies

    University Management has established security policies and procedures to safeguard essential Stanford services, protect the privacy of students, faculty and staff, and comply with contractual requirements and legislation. Some of the most important of these information security standards can be found in Chapter 6 of the Administrative Guide Memos (AGM). The specific policies are:

    The Stanford Hospital & Clinics IT Policies, including Information Security Policies can be found here.

    The IT Policies, including the HIPAA Security Policies for the Lucile Packard Children's Hospital can be found here.

    <top>

    Stanford Data Classification Guidelines

    Stanford University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic culture.

    Information resources are considered to be assets of the University. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements. They are classified according to the risks associated with the data being stored or processed. Data with the highest risk needs the greatest amount of protection to prevent compromise; data at lower risk can be given proportionately less protection. This approach allows Stanford to apply more appropriate levels of resources to the protection of the assets based upon need.

    Three levels of data (or asset) classification have been defined in Administrative Guide Memo #63, Information Security. Prohibited is the highest level (requires the highest level of protection); Confidential is the lowest level defined. Data not classified may be considered Public, please contact the University's Information Security Office for additional information. The University’s Information Security Data Classification Guidelines, can be used to help determine the appropriate data category.

    Please see the Information Security Office's SecureComputing web site for additional guidelines.

    <top>

    Stanford IT Audit Information

    An IT audit is an examination of the controls within the University's, Stanford Hospital & Clinics' and Lucile Packard Children Hospital's Information Technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. an IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organization's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organization's goals or objectives.

    • Control Objectives for Information and related Technology - (CobiT)
    Internal Audit's IT Audit Team follows the CobiT framework, which is a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT.
    COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

    • Sample IT Audit Workplans
      • Data Center Audit Plan (pdf)  (doc)
      • Project Development Audit Plan (pdf)  (doc)
      • Pre-Implementation Review Session - Agenda (pdf)  (doc)

    <top>

    Stanford Information Security Audits

    Information Security Reviews are a specialized type of IT Audit to review information security controls which help ensure the protection of the University's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture.

    The Internal Audit & Institutional Compliance Department, together with the Information Security Offices of the University and related Stanford Hospital & Clinics and Lucile Packard Children's Hosptial, conduct Information Security Reviews and Assessments of Administrative, Academic, Medical and other systems that process, store, or have access to Prohibited or Restricted Data, as part of an information security program. Due to the ever increasing information security standards (and penalties) imposed by legal, regulatory and sponsor requirements, the University requires an Information Security Assessment of all Administrative and Academic systems that store or process Prohibited or Restricted Data. The Internal Audit & Institutional Compliance Department developed the following Questionnaires as guides to the types of information/documentation requested as part of information security assessments.

    <top>

    Stanford System/Application Development

    Stanford  University develops, implements and maintains a vast myriad of Information Systems to (directly and indirectly) support the University’s Academic Mission of teaching, learning and research. The Internal Audit Department is experienced in all phases of system implementation projects. The following collection of documents were compiled to provide the university community with an overview of the practices that comprise an effective and appropriate application development guidelines, particularly for systems that process, handle or store Classified Data.

    For Projects to implement or upgrade Administrative or Academic systems that store, process or handle Classified Data, Internal Audit consultations or Information Security assessments should be considered at the following stages:

    • Project Planning & Feasibility Study - high-level review of the intended project and objectives; inclusion of IT controls and information security considerations.
    • Systems Analysis & Requirements Definition* - high-level review of defined functions and operations and mappings to user needs.
    • Request for Proposal (RFP) & Vendor Selection* - development of the information security requirements for RFP consideration, and evaluation of the vendors' information security profiles as part of the vendor selection process and assistance in contract negotiations. In the case of an outsourced provider, evaluation of the ASP Information Security Questionnaire.
    • System Design* - review of the information security design of the application and infrastructure, and review of the project plan.
    • Development and Testing* - Pre-implementation IT Controls reviews and evaluation of test plans.
    • Acceptance & Installation* - Pre-implementation Information Security reviews.
    • On-Going Maintenance - Post-Implementation Project Reviews and/or periodic Information Security / IT Audits.
    Internal Audit is experienced in all phases of system implementation projects, in several roles: project managers, analysts, implementors, developers, integrators and auditors. For more information regarding project management, the Project Management Institute focuses on the needs of project management professionals.

    To schedule a review, or more information, please contact the Internal Audit and Institutional Compliance Department (mail).

    * Prior experiences with successful development/implementation projects involved Internal Audit at these key project stages.

    <top>

    Stanford Information Security Incident Response

    The purpose of information security incident response is to mitigate the effects caused by such an incident and to protect the information resources of the University from future unauthorized access, use or damage.  Stanford recognizes the need to follow established procedures to address situations that may indicate that the security of the University’s information assets may have been compromised, and established University Policies regarding Information Security Incident Response (AGM #67).

    A member of the University community who becomes aware of an information security incident/emergency should immediately take appropriate action on behalf of the University. In case of a suspected Information Security Incident as described in AGM #67, involving any of the following items*, the University’s Information Security Office (security@stanford.edu) must be contacted immediately:

    • Social Security Numbers (or other National Identifier Numbers)
    • Credit Card Numbers
    • Bank Account Numbers
    • Driver’s License Numbers
    • Health Insurance Policy Numbers
    * PLEASE NOTE: If a compromise of a system containing any of the above items is suspected by a member of the Stanford community, The University's Incident Response Guidelines require that the local system administrator NOT perform any diagnostics or attempt to repair the system, in order to preserve the integrity of forensic data. The administrator should disconnect the system from the network and immediately contact the Information Security Office (security@stanford.edu).

    Please see the Information Security Office's SecureComputing web site for additional information.

    <top>

    Stanford Procedures Regarding External Auditors

    Stanford is subject to numerous regulations and contract provisions which convey to government agencies and private sponsors the right to audit the University’s books and inspect our facilities and operations.  Stanford is committed to fully comply with its obligations in connection with such audit and inspection rights.
    In general, before any audit or inspection is begun at Stanford by External Agents, they should contact: Stanford’s Department of Internal Audit & Institutional Compliance (mail).

    Please follow this link for general information regarding the University Procedures regarding External Auditors.

    Please follow this procedure for External Auditors requesting access to Stanford's network for Internet or access to University systems.

    <top>

    Stanford Policy Exemption and Risk Assumption

    It is imperative that Stanford University Faculty, Staff and Students comply with all University policies, procedures, standards and guidelines. However, there are circumstances that fall outside the ability to comply with and/or conform to a University policy, procedure, standard or guideline. In such instances, an exception must be formally documented and approved by appropriate University management.

    Please follow this link for additional information regarding the University’s Policy Exception and Risk Assumption Process.

    <top>

    Related Documents and References

    Stanford  University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic mission of teaching, learning and research. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements. Here are a few related documents and references regarding information security requirements imposed on the University:


    <top>

    Other Information

    Information Security Office’s SecureComputing website
    Stanford’s Essential Stanford Software (ESS)

      <top>


    Last modified
    Monday, 11-May-2009 05:19:04 PM


     For more information, please contact:
      Eric Nakagawa, Senior Manager and Information Systems Security Specialist in
    Stanford University's  Internal Audit & Institutional Compliance Department
    (650/736-2247) or eric dot nakagawa at stanford dot edu



    Stanford University Home Page