Security Responsibilities for Business and Data Owners
Information Security Office - June, 2007
On this page:
Introduction
Business and Data Owners are responsible for information security of the systems under their care and control. System Administrators are responsible for the application of these policies. [Admin Guide 63] http://adminguide.stanford.edu/63.pdf.
System maintenance
All devices directly connected to the Stanford network must have their software or firmware kept up to date with patches when security issues arise. This means that devices, operating systems, and applications which are no longer supported by the vendor and therefore can no longer be patched, may not be directly connected to the Stanford network. If there is a legitimate business need to run a system which can no longer be patched, it must be isolated from the network by a firewall which limits access to/from it in order to protect the Stanford-wide network from attacks initiating from it. Anyone requiring an exception to this rule must file a Risk Acceptance Agreement [http://www.stanford.edu/group/security/securecomputing/SU_Form-RiskAccept-IS.html].
Network Address Translation
Network Address Translation, NAT, devices must log all traffic to an independent device which is accessible in real-time by the Stanford ITS Networking group and Information Security Office. These logs must provide enough information to enable Stanford to respond to legal investigations and subpoenas.