Minimum Security Standards

These standards are intended to reflect the minimum level of care necessary for Stanford's sensitive data. They do not relieve Stanford or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract. Stanford expects all partners, consultants, and vendors to abide by Stanford's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security policies.

 

An endpoint is defined as any laptop, desktop, or mobile device.

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but utilized to access a High Risk application is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard your endpoints.
Process Policy  What to Do Public Confidential RESTRICTED
Patching CNRUP University Owned: Apply Pepperdine Domain WSUS (Win) and install Device Management to automatically apply security patches and configurations (Win/Mac); Turn on auto-update and verify with browsercheck.pepperdine.edu (iOS/Android)
Personally Purchased: browsercheck.pepperdine.edu is recommended to find genuine patches (Win/Mac/Mobile)

Required Required RequiredX
Whole Disk Encryption  ICPP University Owned: Use SafeGuard Enterprise Managed FileVault2 (Mac) or BitLocker (Win). Non-enterprise encryption prohibited.
Personally purchased, including Mobile: RESTRICTED information is prohibited on personal or mobile.
 NO  NO Required
Backups   University Owned: Enterprise Secure Cloud Backup is required for RESTRICTED data. (Win/Mac). Confidential data should be stored on G Suite Team Drive or My Drive as backup.
Personally Owned: 
 X  X  X
Inventory  X Review and update NetDB records quarterly. Maximum of one node per NetDB record.  X  X  X
Configuration Management   Install BigFix and SWDE.      X
Regulated Data Security Controls   Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.      X

 

A server is defined as a host that provides a network accessible service.

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, a server running a Low Risk application but storing High Risk Data is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard your servers.
Standards Recurring Task What to Do Low Moderate High
Patching  X Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported OS version.  X  X  X
Vulnerability Management  X Perform a monthly Qualys scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.  X  X  X
Inventory  X Review and update NetDB and SUSI records quarterly. Maximum of one node per NetDB record.  X  X  X
Firewall   Enable host-based firewall in default deny mode and permit the minimum necessary services.  X  X  X
Credentials and Access Control  X Review existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via Kerberos recommended.  X  X  X
Two-Step Authentication   Require Duo two-step authentication for all interactive user and administrator logins.    X  X
Centralized Logging   Forward logs to a remote log server. University IT Splunk service recommended.    X  X
Sysadmin Training  X Attend at least one Stanford Information Security Academy training course annually.    X  X
Malware Protection  X Deploy Cb Protection (formerly Bit9) in high enforcement mode. Review alerts as they are received.    X  X
Intrusion Detection  X Deploy Cb Protection (formerly Bit9) on supported platforms, otherwise use OSSEC or Tripwire. Review alerts as they are received.    X  X
Physical Protection   Place system hardware in a data center.    X  X
Dedicated Admin Workstation   Access administrative accounts only through a Privileged Access Workstation (PAW).      X
Security, Privacy, and Legal Review   Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.      X
Regulated Data Security Controls   Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.      X

 

An application is defined as software running on a server that is remotely accessible, including mobile applications.

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an application providing access to Low Risk Data but running on a High Risk server is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard your applications.
Standards Recurring Task What to Do Low Moderate High
Patching  X Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.  X  X  X
Vulnerability Management  X Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.  X  X  X
Inventory  X Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.  X  X  X
Firewall   Permit the minimum necessary services through the network firewall.  X  X  X
Credentials and Access Control  X Review existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via WebAuth/SAML recommended.  X  X  X
Two-Step Authentication   Require Duo two-step authentication for all interactive user and administrator logins.    X  X
Centralized Logging   Forward logs to a remote log server. University IT Splunk service recommended.    X  X
Secure Software Development   Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.    X  X
Developer Training  X Attend at least one Stanford Information Security Academy training course annually.    X  X
Backups   Back up application data at least weekly. Encrypt backup data in transit and at rest.    X  X
Dedicated Admin Workstation   Access administrative accounts only through a Privileged Access Workstation (PAW).      X
Security, Privacy, and Legal Review   Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.      X
Regulated Data Security Controls   Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.      X

You are encouraged to begin adopting these standards, prioritizing your systems by risk level. As cybersecurity is a rapidly evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly. In time, these standards will become requirements codified in the Administrative Guide.

 

Definitions


Computer Equipment

Any Stanford or non-Stanford desktop or portable device or system

Masked Number

(i) A credit card primary account number (PAN) has no more than the first six and the last four digits intact, and

(ii) all other Prohibited or Restricted numbers have only the last four intact. See the entire DSS 3.1 Standard (if you are willing to agree to some terms).

NIST-Approved Encryption

The National Institute of Standards and Technology (NIST) develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect Stanford's data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.

Payment Card Industry Data Security Standards

The practices used by the credit card industry to protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process, store, or have access to Stanford's Prohibited or Restricted data. The most recent version of the PCI DSS is available here.

Protected Health Information (PHI)

All individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Office.

Qualified Machine

A computing device located in a secure Stanford facility and with access control protections that meet the Payment Card Industry Data Security Standards.

Student Records

Information required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA). Student Records include Stanford-held student transcripts (official and unofficial), and Stanford-held records related to (i) academic advising, (ii) health/disability, (iii) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student. Applications for student admission are not considered to be Student Records unless and until the student attends Stanford.

FAQs

General Questions

Privacy Office

Contact info (website link, email, phone)

Information Security Office

Contact info (website link, email, phone)

Suspected Information Security Incident

Information Security Office

Contact info (website link, email, phone)

Report Lost or Stolen Device

Privacy Office

Contact info (website link, email, phone)