Formerly Known As Policy Number: 63
The purpose of this policy is to ensure the protection of Stanford's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture. This Guide Memo states requirements for the protection of Stanford's information assets.
Applicability: This policy is applicable to all University students, faculty and staff and to all others granted use of Stanford University information resources. Every user of any of Stanford's information resources has some responsibility toward the protection of those assets; some offices and individuals have very specific responsibilities. This policy refers to all University information resources whether individually-controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the University. This includes networking devices, personal digital assistants, telephones, wireless devices, personal computers, workstations, mainframes, minicomputers, and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.
The purpose of information security is to protect the information resources of the University from unauthorized access or damage. The underlying principles followed to achieve that objective are:
The information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure, and any other such resources, are available to support the teaching, learning, research, or administrative roles for which they are designated.
The information used in the pursuit of teaching, learning, research, or administration can be trusted to correctly reflect the reality it represents.
The ability to access or modify information is provided only to authorized users for authorized purposes.
The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives.
The value of information as an institutional resource increases through its appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
All University information is classified into one of 4 levels based on sensitivity and risk. These classifications take into account legal protections, contractual agreements, ethical considerations, privacy issues, and strategic or proprietary worth. The classification level determines the security protections and access authorization mechanisms which must be used for the information. Security guidelines can be found in the Stanford Minimum Security Guidelines (https://uit.stanford.edu/guide/securitystandards). The information classifications are as follows:
Information is classified as "Prohibited" if protection of the information is required by law or government regulation, or Stanford is required either to provide notice to the individual if information is inappropriately accessed or to report unauthorized access to the government
Information is classified as "Restricted" if (i) it would otherwise qualify as "Prohibited" but it has been determined by the Data Governance Board (http://dg.stanford.edu) that prohibiting information storage on Computing Equipment would significantly reduce faculty, staff, or student effectiveness when acting in support of Stanford's mission, or (ii) it is listed as Restricted in the Classification of Common Data Elements (http://securecomputing.stanford.edu/dataclass_chart.html).
Information is classified as "Confidential" if (i) it is not considered to be Prohibited or Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the Classification of Common Data Elements (http://securecomputing.stanford.edu/dataclass_chart.html).
All information which does not fall into one of these categories is considered to be "public." Please see the Information Security Office (http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html) for a list of frequently used public information.
The Information Security Officer is responsible for providing interpretation of this and other related policies and disseminating related information.
The University Privacy Officer is responsible for developing and implementing policies and procedures governing the privacy of data that the University is required or elects to protect.
The Data Governance Board is an advisory group charged with oversight of policies and procedures relating to the protection and use of Stanford's non-public information.
System Business and Data Owners are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control.
System Administrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care at the direction of the Business and Data Owners.
System Developers and Integrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care at the direction of the Business and Data Owners.
Every user of Stanford's information resources is responsible for the application of this and related policies to the systems, information, and other information resources which they use, access, transmit or store.
Stanford expects all partners, consultants and vendors to abide by Stanford's information security and privacy policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security and privacy policies.
Violations of this policy include, but are not limited to: accessing information to which the individual has no legitimate right; enabling unauthorized individuals to access information; disclosing information in a way that violates applicable policy, procedure, or other relevant regulations or laws; inappropriately modifying or destroying information; inadequately protecting information; or ignoring the explicit requirements of Data Owners for the proper management, use, and protection of information resources.
Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.
Information Security Office