Latest News

• Security Alerts

Security Information for...

• Personal Computer Users
• Technical Professionals
• Administrators, Department Heads, or Principal Investigators

Related Pages

• Good Passwords
• Stanford Data Classification Chart
• Data Governance Board
• BigFix
• Security Training
• Recommended PC Software
• Recommended Mac Software
• Keeping your software up to date
• Avoiding email viruses
• Information Security Office
• ISO FAQ

• Information Security Office
• Secure Computing
• For Technical Professionals

Secure Computing For Technical Professionals

Stanford Guidelines

• Stanford ISO Security Guidelines
• Stanford Data Classification Guidelines
  This web page outlines Stanford's Data Classifications and their underlying rationale.
• Security Responsibilities for Business and Data owners
• Desktop File Encryption--MS EFS (Encrypting File System)
• Disk and Data Destruction
• DBAN- Darik's Boot and Nuke Disk Destruction Tool
• Mobile Computing Best Practices
• Secure Email Guidelines
• Information Security Risk Assessment Questionnaire
• Preliminary ASP Security Criteria & Questionnaire

Stanford Policies

University senior management has established security policies and procedures to safeguard essential Stanford services, protect the privacy of students, faculty, and staff, and comply with contractual requirements and legislation. Here are some of the most important of these information security standards.

• Stanford Administrative Guide Memo 61 Administrative Computing Systems
  This Guide Memo describes the policy that governs the administrative computing systems at Stanford University and identifies administrative system ownership responsibilities. This policy applies to all computerized systems involved with the creation, updating, processing, outputting, distribution, and other uses of administrative information at Stanford.
• Stanford Administrative Guide Memo 62 Computer and Network Usage Policy
  This policy covers the appropriate use of all information resources including computers, networks, and the information contained therein.
• Stanford Administrative Guide Memo 63 Information Security
  The purpose of this policy is to ensure the protection of Stanford's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture. This Guide Memo states requirements for the protection of Stanford's information assets.
• Stanford Administrative Guide Memo 64 Identification and Authentication Systems
  The purpose of this policy is to ensure the security and integrity of both University data and data belonging to individuals, all owners of
  Stanford computer systems and networks must develop and implement access control policies.
• Stanford Administrative Guide Memo 84 (was 65) Credit Card Acceptance & Processing
  This policy provides guidelines on the use of electronic commerce at Stanford.
• Stanford Administrative Guide Memo 66 Chat Rooms and other Electronic Forums
  This policy describes the University's position on electronic forums: Unless specifically sponsored by an academic or administrative unit of the University,
  the University’s role in connection with these forums will be solely as a passive Internet service provider.
• Stanford Administrative Guide Memo 67 Information Security Incident Response
  This Guide Memo describes the procedures to be followed when a computer security incident is discovered to have occurred involving an Administrative Computing System operated by Stanford University and its employees. It outlines the procedures for decision-making regarding emergency actions taken for the protection of Stanford's information resources from accidental or intentional unauthorized access, disclosure or damage.

The Stanford Information Security Office

• Stanford Information Security Office
  This web page describes the roles, responsibilities, and priorities of the Stanford Information Security Office.

Security News

• Security Alerts

Software and Tools

• BigFix patch management software (for Windows)
• Essential Stanford Software

Additional References

Stanford promotes the use of industry best practices for architecture and deployment of information systems. The Information Security Office has assembled the Stanford ISO Security Guidelines, which outlines the essential elements of secure computing at the University. The ISO also recommends the following references which offer detailed explanations and documentation of information security best practices on most common Stanford platforms.

• Payment Card Industry Data Security Standard
  This document provides practical advice on securing sensitive information with a focus on credit card data.
• The OWASP Top Ten Most Critical Web Application Security Vulnerabilities
  The OWASP Top Ten identifies the ten most critical classes of web application vulnerabilities today, tells you how to determine if your system is at risk, and presents strategies for correcting exposures.
• The FBI/SANS Top 20 Internet Security Vulnerabilities
  The FBI/SANS Top 20 identifies the most critical vulnerabilities of Internet-connected Windows and Unix systems today, tells you how to determine if your system is at risk, and presents strategies for correcting exposures.
• National Institute of Standards and Technology Computer Security Resource Center
  The NIST CSRC publishes documents covering a broad range of security-related subjects, from cryptographic key management to software patching procedures.
• National Security Agency
  The NSA makes available security configuration guides for network equipment, operating systems, application frameworks, and individual software applications.
• Practical UNIX and Internet Security, Third Edition
  The 2003 edition of the Unix and Internet security classic.
• Bastille
  The Bastille Hardening Program is an assessment and hardening tool for several Linux distibutions, HP-UX, and MacOS X.