Stanford Data Classification Guidelines
Stanford Requirements
Stanford University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic culture.
Supporting an open, information-sharing environment is driven by the academic mission which requires the ability to share information and ideas and to collaborate on the creation of knowledge. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements.
Legal
There are laws, both federal (e.g., HIPAA, FERPA) and state (e.g., social security number use, credit card exposure), that affect the level of protection Stanford is required to provide. Stanford also has many contractual relationships around the protection of data which is licensed from other sources.
Academic
Stanford both produces and owns intellectual capital which needs to be protected against premature disclosure or unauthorized tampering.
Financial
There are costs directly related to the protection of information assets. Similarly, there are costs directly related to the control and repair of damage to information resources which have been compromised.
Other Business Requirements
While Stanford, as a part of its fundamental mission, wants to make sure that many information resources are widely available it also wants to keep private things private. Moreover, in addition to the direct costs related to damage control, Stanford's reputation as a world class institution is something that, if damaged, can have both direct and indirect negative effects.
Classification of Assets
Information resources are considered to be assets of the University. They are classified according to the risks associated with the data being stored or processed. Data with the highest risk needs the greatest amount of protection to prevent compromise; data at lower risk can be given proportionately less protection. This approach allows Stanford to apply more appropriate levels of resources to the protection of the assets based upon need.
Three levels of data (or asset) classification have been defined, Restricted is the highest level (requires the highest level of protection); Public is the lowest level defined. This table can be used to determine the appropriate category of any particular data collection.
Data is often kept in collections called databases, tables, files, etc. In the design of most systems, more sensitive data elements of a collection are not usually segregated from less sensitive elements. Therefore, in determining the classification category, it is the most sensitive data element in the collection which determines the classification category of the entire collection.
Need More Information?
Contact the Information Security Office regarding security issues with Stanford computers or network resources.
- security@stanford.edu
- security.stanford.edu
- 650-723-2911