STANFORD UNIVERSITY

SECURE COMPUTING

Data Classification, Access, Transmittal and Storage

Stanford takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University’s academic and research mission.  For that reason, Stanford has identified three categories of non-public information for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect the information against unauthorized access.   The categories are listed in the table below.

All information which does not fall into one of these categories is considered to be “public”.  Public information includes, but is not limited to, SUNet ID, information available on or through Stanford’s website if accessible without SUNet ID, certain policy and procedure manuals designated by the owner as “public,” campus maps, job postings, certain University contact information not designated by the individual as “private” in StanfordYou, etc.  No encryption or other protection is required for public information; however, care should always be taken to use all University information appropriately. 

If you have questions about the appropriate classification for any information not specifically mentioned below, please contact your manager and/or the University Privacy Officer.

Frequently asked questions regarding handling Prohibited and Restricted Data can be found here.

Stanford expects all partners, consultants and vendors to abide by Stanford’s information security policies.  If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford’s information security policies.

Please contact the University Privacy Officer with any questions about the appropriate classification of information.  Please contact the Chief Information Security Officer with any questions about appropriate protection of information.

NOTE: In case of a suspected Information Security Incident as described in the Information Security Incident Response Policy, AGM #67, involving any of the following items, the University’s Information Security Office ([email protected]) must be contacted immediately:

  • Social Security Numbers
  • Credit Card Numbers
  • Financial Account Numbers
  • Driver’s License Numbers
  • Health Insurance Policy ID Numbers

All new information systems that store or process Prohibited or Restricted Data, should be assessed by the Information Security Office.

Definitions

“DGB” is Stanford's Data Governance Board

“Computing Equipment” is any Stanford or non-Stanford desktop or portable device or system. 

A number is “Masked” if:  (i) a credit card primary account number (pan) has no more than the first 6 and the last 4 digits intact, and (ii) all other Prohibited or Restricted numbers have only the last 4 intact. See the entire DSS 2.0 Standard if you are willing to agree to some terms.

"NIST-Approved Encryption"  The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data.  Encryption which meets NIST-approved standards is suitable for use to protect Stanford's data.

"Payment Card Industry Data Security Standards"  Practices used by the credit card industry to protect cardholder data.  The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that process, store, or have access to Stanford's Prohibited or Restricted data.  The most recent version of the PCI DSS is available here.

“Protected Health Information”  (PHI) is all individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law.  For questions about whether information is considered to be PHI, contact the University Privacy Officer.

A “Qualified Machine” is a computing device located in a secure facility and with access control protections that meet the Payment Card Industry Data Security Standards located at https://www.pcisecuritystandards.org/security_standards/index.php

“Student Records” are those that are required to be maintained as non-public by the Family Educational Rights and Privacy Act (FERPA).  Student Records include Stanford-held student transcripts (official and unofficial), and Stanford-held records related to (i) academic advising, (ii) health/disability, (iii) academic probation and/or suspension, (iv) conduct (including disciplinary actions), and (v) directory information maintained by the Office of the Registrar and requested to be kept confidential by the student.  Applications for student admission are not considered to be Student Records unless and until the student attends Stanford.

The table below is summarized on this handy front-and-back card. Print it (color is best) two-sided, then cut inside the outer border for your own security chart.


Prohibited Information

Restricted Information

Confidential Information

Information

Classification Guideline

Information is classified as “Prohibited” if protection of the information is required by law/regulation or Stanford is required to self-report to the government and/or provide notice to the individual if information is inappropriately accessed

If a file which would otherwise be considered to be Restricted or Confidential contains any element of Prohibited Information, the entire file is considered to be Prohibited Information.

Information is classified as “Restricted” if (i) it would otherwise qualify as “Prohibited” but it has been determined by the DGB that prohibiting information storage on Computing Equipment would significantly reduce faculty/staff/student effectiveness when acting in support of Stanford’s mission and/or (ii) it is listed as Restricted in the Classification of Common Data Elements,” below.

Information is classified as “Confidential” if (i) it is not considered to be Prohibited or Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the Classification of Common Data Elements,” below.



Classification of Common Data Elements

  • Social Security Numbers

  • Credit Card Numbers

  • Financial Account Numbers, such as checking or investment account numbers

  • Driver’s License Numbers

  • Health Insurance Policy ID Numbers

  • Student Records; provided, however, that Student Records may be treated as “Confidential” when stored or transmitted if (i) a faculty or staff member has concluded that it is necessary to place such unencrypted information on Computing Equipment in order to more effectively complete their work in support of Stanford’s academic or research mission, and (ii) the information will be retained unencrypted on the Computing Equipment for only as long as necessary, but in no event after August 31 of the academic year in which it was placed there without permission of the DGB.

  • Protected Health Information (PHI)

  • Passport and visa numbers

  • Research and other information covered by non-disclosure agreements

  • Export controlled information under U.S. laws

  • Faculty/staff employment applications, personnel files, benefits information, salary, birth date, and personal contact information

  • Admission applications; provided that applications will not be retained unencrypted on the Computing Equipment after August 31 of the academic year in which it was placed there.

  • Donor contact information and non-public gift amounts

  • Privileged attorney-client communications

  • Non-public Stanford policies and policy manuals

  • Stanford internal memos and email, and non-public reports, budgets, plans, and financial information

  • Non-public contracts

  • University and employee ID numbers


Prohibited Information

Restricted Information

Confidential Information

Access Protocol

Access only with permission from the DGB or the VP for Business Affairs.

Access limited to those permitted under law, regulation and Stanford’s policies, and with a need to know.


Access limited to those with a need to know.

Transmission

NIST-approved encryption is required when transmitting information through a network. Third party email services are not appropriate for transmitting Prohibited information. Prohibited numbers may be Masked instead of encrypted.

NIST-approved encryption is required when transmitting information through a network. Third party email services are not appropriate for transmitting Restricted information. Restricted numbers may be Masked instead of encrypted.

NIST-approved encryption is strongly recommended when transmitting information through a network. Third party email services are discouraged for transmitting Confidential information.

Storage

Prohibited on Computing Equipment unless approved by the DGB. If DGB approved, NIST-approved encryption is required on Computing Equipment. Prohibited numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine.


NIST-approved encryption is required if information is stored on Computing Equipment. Restricted numbers may be Masked instead of encrypted. NIST-approved encryption is also required if the information is not stored on a Qualified Machine.

Encryption of Confidential information is strongly recommended. Level of required protection of Confidential information is either pursuant to Stanford policy or at the discretion of the owner or custodian of the information. If appropriate level of protection is not known, check before storing Confidential information unencrypted.

Use these criteria to determine which data classification is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Classification.


Last modified Tue Aug 11 11:23:57 PDT 2009 PK

Stanford University Home Page