This guide memo establishes a policy on privacy in Electronic Information and the circumstances under which Electronic Information may be accessed and/or disclosed without User Consent.
a. Purposes of Policy
Establish a policy on privacy in Electronic Information and the circumstances under which Electronic Information may be accessed and/or disclosed without User Consent.
This policy applies to:
Definitions of terms used in this policy are provided, below, in Section 2.
This policy does not apply to routine use of Electronic Information by those who send and receive Electronic Information in the expectation that the Electronic Information will be used by intended recipients and others in the normal course of their duties. Additionally, a User who holds records for the University may not deny Access to those records to others within the University with a need for those records to conduct University business. Rather, this policy applies to Access to Electronic Information by University officials and others who would not routinely use the Electronic Information but would do so in order to fulfill special conditions of University business, or to respond to legal demands from outside the University, as described in Section 4, Access Without User Consent, below.
Communication among members of the Stanford University community is essential for all University operations, teaching, and research. This communication can take many forms, including through the use of University IT Resources. Stanford University encourages the use of University IT Resources to share information and knowledge in support of the University's mission of education, research, and public service, and to conduct the University's business. To this end, the University provides and supports a broad array of electronic communications services and facilities.
Because the University provides IT Resources to facilitate electronic communication and data storage, the University could Access Electronic Information and the scope and ease of this Access likely surpasses that which the University has to non-electronic data, cell phone calls, or other personal conversations among its faculty, staff, and students.
This policy therefore sets out guidelines and processes that apply when the University seeks Access to Electronic Information. Our goal is to act in accordance with the University’s legal and ethical obligations, while also seeking to maintain an environment in which free academic inquiry thrives. This policy, along with federal, state, local and, in some circumstances, foreign laws, provides the rules and procedures under which the University may Access and disclose electronic information.
Accordingly, the policy is grounded on seven important principles:
i. Access should occur only for a legitimate purpose;
ii. Access should be authorized by one or more appropriate and accountable people;
iii. Except as described herein, when the University is subject to a legal process to release a User’s Electronic Information to a third-party outside of the University, it should give Notice to the User before releasing the requested information;
iv. Except as described herein, the University should obtain User Consent before a User’s Electronic Information is Accessed;
v. Access should be limited to the minimum Electronic Information necessary to accomplish the purpose, and the University should take reasonable steps to avoid Access to information on private machines that it has no reason to believe is University information;
vi. Sufficient records should be kept to enable appropriate review of compliance with this policy; and
vii. The process for access should be transparent and reviewable by the Steering Committee of the Faculty Senate as described in 5.e. (Transparency and Access Records).
In general, the University does not Access or disclose Electronic Information without User Consent. The University may Access or disclose Electronic Information without User Consent only under the limited circumstances as described in this policy. Moreover, before releasing a User’s Electronic Information pursuant to legal process, the University will make reasonable efforts to give notice of the third party request.
The following definitions apply to this policy. Knowledge of these definitions is important to understanding this policy.
Access: Review, use, or disclosure of Content or Activity Data that is beyond the incidental contact with Electronic Information in the course of providing University IT systems. For the avoidance of doubt, mere preservation of Electronic Information is not considered Access until review or disclosure occurs.
Authorizing Official: The Authorizing Officials include the: President, Provost, Vice President of Business Affairs, General Counsel, Vice Provost of Student Affairs, Senior Associate Vice President for Audit, Compliance, Risk and Privacy, and the Chief Privacy Officer, as appropriate depending on the rationale for Accessing Electronic Information. Each of these Authorizing Officials may designate a deputy to authorize access for circumstances in which the identified officer is unavailable. Additionally, the Chief Information Security Officer is an Authorizing Official for System Protection, Maintenance, and Management.
Electronic Information: Electronic Information consists of both of the following types of information:
Compelling Circumstances: Circumstances in which obtaining User Consent could result in bodily harm to humans or animals, significant property loss or damage, or destruction of evidence.
Emergency Circumstances: Circumstances in which time is of the essence and the University needs to act immediately to protect against bodily harm to humans or animals, or significant property loss or damage.
Notice of Third Party Request: With regard to circumstances in which an outside party is seeking Electronic Information of a User through any legal process, such as a court order, subpoena, warrant, government investigation, or civil litigation demand involving the University, notification to the User of the request prior to release of the requested Electronic Information and as further described in section E.5., Transparency and Access Records, below.
University Investigation: An allegation, which in the judgment of the General Counsel or Associate Vice President of Audit, Compliance & Privacy, requires investigation of a potential violation of law or a University policy listed in Appendix A, Policies Relating to Access Without Consent. University Investigation also includes an audit conducted at the direction of Audit, Compliance, Risk & Privacy to ensure ongoing University compliance in the areas subject to Appendix A.
University IT Resources: All computer and communication devices, services, networks and other technologies that access, store or transmit personal or University information and that are owned, provided, or administered by or through the University, regardless of whether they are owned or controlled by the University or by an external electronic service provider with which the University contracts.
User: Any person or entity who:
User Consent: Following a description of the purpose and the extent of a request for Access to Electronic Information, express consent to Access, use, and/or disclose Electronic Information by one or more Users:
The University recognizes that academic freedom, shared governance, and freedom of speech require personal privacy. This policy seeks to ensure these firmly-held principles within the context of compliance with the University’s legal and other obligations. The University respects the privacy of Electronic Information in the same way that it respects the privacy of paper correspondence and telephone conversations. Simultaneously, the University seeks to ensure that University administrative records are accessible for the conduct of the University's business and seeks to meet its obligations to justify the use of private and public funds, investigate allegations of research misconduct or violation of standards of authorship, conduct fact-finding and remediation for suspected violations of the ethics and law of research using humans and animals, and inquire into and resolve allegations of noncompliance or of misconduct, such as discrimination, harassment, theft, extortion, blackmail, or acts or threats of violence.
b. Information Available to the University
As an Internet service provider, an electronic communications service provider, a back-up provider, a storage provider, and more, the University is capable of accessing Electronic Information generated by User interaction with these services. Even when using personally owned devices, user interactions with University IT Resources generates Activity Data that can often be attributed to an individual while also identifying that person’s physical location to varying degrees of precision. Users should be aware that the University has or could have Access to many categories of information, including but not limited to those described in Appendix B.
All Users might be involved in circumstances over the course of their time at Stanford in which Electronic Information could legitimately be accessed by the University under Section 4, Access Without User Consent, below. Therefore, the University advises all Users who use University resources for personal matters that the University might Access Electronic Information pertaining to such matters under this policy. Accordingly, the best protection Users have to keep the University from Accessing private personal matters, is to keep such matters off of University resources. To the extent Users wish to keep private from the University such personal matters, the Users should consider using non-University resources for such matters.
Even under circumstances in which the University may legitimately Access Electronic Information under this policy, it will not disclose such Accessed Electronic Information to third-parties absent Notice of a Third Party Request and/or User Consent, unless (a) required to do so by law or legal process; (b) to protect life or property; or (c) to report a crime relating to or indicated by the Electronic Information.
c. Privacy Obligations of University Employees and Agents
This policy prohibits University employees and their agents from Accessing Electronic Information except in accordance with this policy. University employees shall take necessary precautions to protect the confidentiality of personal information encountered either in the performance of their duties or otherwise. University contracts with outside vendors that will have access to personally identifiable Electronic Information shall include references to this policy, to applicable privacy laws that protect the information, or language that limits the third party contractor from using the information for any purpose other than to perform the services of the Agreement, or as required by law.
In addition to legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to University policies and collective bargaining agreements. If a User’s Electronic Information has been Accessed in violation of this policy, the affected individual should be promptly notified. Where such a policy violation also requires a legal notification under an applicable law, the legal notice will serve as the notification required under this section.
d. Audio or Video Conversations
In compliance with law, conversations shall not be recorded or monitored without advising all participants, unless a court has explicitly ordered such monitoring or recording to occur without notice. Emergency services shall record 911-type emergency calls in accordance with federal and state laws and regulations.
Callers shall be informed when a call is being monitored or recorded for the purpose of evaluating customer service, assessing workload, or any other business purpose permitted by law.
Except as otherwise provided in this policy, the University will obtain User Consent prior to any Access except under the conditions described below.
a. System Protection, Maintenance, and Management
University IT Resources require ongoing maintenance and inspection to ensure that they are operating properly; to ensure they are in compliance with regulatory and contractual obligations; and to protect against security threats such as cyber attacks, malware, and phish. University IT Resources also require regular management, for example, in order to deploy software updates. Accordingly, to perform this work, the University and its approved vendors may scan or otherwise Access Electronic Information without User Consent.
The Chief Information Security Officer may authorize Access for System Protection, Maintenance, and Management.
In that process, University IT personnel may observe certain Activity Data or other Electronic Information. Except as provided elsewhere in this policy or by law, University IT personnel are not permitted to seek out Electronic Information, including Contents or Activity Data, when not germane to system operations and support. Any unavoidable examination of Electronic Information shall be limited to the minimum required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal or confidential information.
If, in the course of their duties, University IT personnel inadvertently discover or suspect violations of law or University policy listed in Appendix A, such personnel may preserve the data and report such violations.
Where possible, the University will provide minimally invasive tools to manage User devices and adopt minimally invasive tools to monitor network security without unneeded institutional access.
b. Emergency Circumstances
The University may Access Electronic Information without User Consent in Emergency Circumstances, in which time is of the essence. One Authorizing Official may authorize Access using the least intrusive means to obtain the information necessary to assess and resolve the emergency. The Authorizing Official should weigh the need for Access against other University concerns, including academic freedom, personal privacy, integrity of University operations, protection of life and property, and determine that the need for Access outweighs any countervailing considerations.
c. Compelling Circumstances
For Compelling Circumstances, two Authorizing Officials must authorize Access to Electronic Information. When this happens, the Authorizing Officials must make a factual determination that the University investigation/purpose has a sufficient basis to support Access without User Consent. Additionally, the Authorizing Officials should weigh the need for Access against other University concerns, including academic freedom, personal privacy, integrity of University operations, compliance with law and policies listed in Appendix A, protection of life and property, and determine that the Access of Electronic Information will advance a legitimate institutional purpose and that such need outweighs any countervailing considerations. Only Electronic Information reasonably necessary to assess and/or address the Compelling Circumstances may be accessed or disclosed.
d. Operational Circumstances
The University may Access Electronic Information without User Consent under circumstances in which failure to access the Information would likely cause the University to fail to meet mission-critical governance, administrative, teaching, or research obligations.
For Operational Circumstances, two Authorizing Officials must authorize Access to Electronic Information. When this happens, the Authorizing Officials must make a factual determination that the operational circumstances have a sufficient basis to support Access without User Consent. Additionally, the Authorizing Officials should weigh the need for Access against other University concerns, including academic freedom, personal privacy, integrity of University operations and determine that the Access of Electronic Information will advance a legitimate institutional purpose and that such need outweighs any countervailing considerations. Only Electronic Information reasonably necessary to assess and/or address the Operational Circumstances may be accessed or disclosed.
e. University Investigations
The University may Access Electronic Information without User Consent in order to conduct a University Investigation of an alleged violation of a legal requirement or a policy listed in Appendix A. Two Authorizing Officials must authorize Access to Electronic Information for University Investigations. When this happens, the Authorizing Officials must make a factual determination that the investigation has a sufficient basis to support Access. Additionally, the Authorizing Officials should weigh the need for Access against other University concerns, including academic freedom, personal privacy, integrity of University operations, compliance with law and policy, protection of life and property, and determine that the Access of Electronic Information will advance a legitimate institutional purpose and that such need outweighs any countervailing considerations.
f. The Identity of the User is Unknown
The University may Access Electronic Information without User Consent when the identity of the User is unknown in order to investigate violations of law or of the University policy. Once the identity of the User is determined, the University may have an obligation under this policy to obtain User Consent for future Access.
g. Legal Process
All requests for Electronic Information arising from legal process, such as search warrants, court orders, national security letters, subpoenas, or other demands related to government investigations or University litigation, must be referred to the Office of the General Counsel or the General Counsel’s designee (OGC). The OGC is responsible for ensuring Notice of a Third Party Request, authorizing Access, and release of Electronic Information under this circumstance.
If a person is identified by name in the legal process as the person whose records are being sought, then the University will make reasonable efforts to provide Notice of a Third Party Request to the person/User before Accessing or disclosing Electronic Information and with sufficient notice to enable the User to object in court to the legal request.
Under circumstances in which the University does not have evidence that a User has received a copy of the Court Order or Subpoena, the University will either provide a copy of the request to the User using the cover sheet (or its equivalent) provided in Appendix C or in the alternative will make reasonable efforts under the circumstances to provide verbal or written communication to an affected User:
A User who does not want information to be released by Stanford should contact the Office of the General Counsel. If University Electronic Information is at issue, the University will work with the User to determine if moving to quash the subpoena is appropriate. If the User’s personal information is at issue (for example, pay records subpoenaed in a personal injury litigation), the User is responsible for moving to quash the subpoena or taking other appropriate legal action to invalidate the legal request to the University. Users in this situation are advised to seek legal counsel for assistance. Students enrolled in degree programs may seek out assistance from the ASSU Legal Counseling Office.
In circumstances in which the University is prohibited from disclosing the existence of legal process compelling disclosure of a User’s information (Gag Order), the Office of the General Counsel in consultation with the Privacy Office will determine whether the University has justifiable grounds to challenge the Gag Order.
When Electronic Information is accessed without User Consent, as provided for in Section 4, the following additional conditions apply:
If the target of the search is a faculty member, except for Emergency Circumstances, one of the Authorizing Officials will be the President or Provost, who may delegate this authority on a case by case basis to a Cabinet member; otherwise, an Authorizing Official may not delegate authority for Access to a faculty member’s Electronic Information. Authorization shall be limited to the least intrusive means to obtain the Electronic Information needed, but sufficient to comply with the University’s obligations. Nothing herein is intended to limit the University’s duty to comply with the law.
b. Notification of Internal Access
The responsible authority or designee shall, at the earliest opportunity that is lawful and preserves the integrity of the investigation, notify the affected User(s) of the action(s) taken and the reasons for the action(s) taken, unless law or policy mandates confidentiality and thereby prevents notification.
c. Compliance with Law
All University Access shall be in full compliance with the law and other applicable University policies.
d. Advice of Legal Counsel
University personnel should seek advice from the Office of the General Counsel if assistance is needed regarding this policy.
e. Transparency and Access Records
In determining whether to authorize Access, the designated officials should evaluate all the relevant circumstances for Access including the possible effect of Access on University values. The officials who authorize Access without User Consent for any reason shall create a record of the authorization. The record will include, where applicable:
1. a description of the Electronic Information that was Accessed;
2. the justification for the Access;
3. the legal process used to compel the Access;
4. whether the User was notified;
5. requests for information involving a Gag Order; and
6. notifications of violations of the policy under C3.
The Transparency and Access Records will be submitted to the Information Security Office. The Chief Information Security Officer is responsible for keeping a de-identified summary log of instances of Access to Electronic Information. This log will be made available to the Steering Committee of the Faculty Senate annually. Consistent with University Policy, the Steering Committee has the right to request further information.
Electronic Information is subject to any and all applicable University records management policies.
The Privacy and Access to Electronic Information policy cites circumstances under which Access to Electronic Information may occur without User Consent. University policies governing the following subject matter may trigger nonconsensual Access under the procedures defined in Section 4, Access Without User Consent:
This policy covers the appropriate use of all information resources including computers, networks, and the information contained therein.
Applies to all University students, faculty and staff, and all others using computer and communication technologies, including the University's network, whether personally or University owned, which access, transmit or store University or student information.
Use of Stanford's network and computer resources should support the basic missions of the University in teaching, learning and research. Users of Stanford's network and computer resources ("users") are responsible to properly use and protect information resources and to respect the rights of others. This policy provides guidelines for the appropriate use of information resources.
As used in this policy:
a. "Information resources" are all computer and communication devices and other technologies which access, store or transmit University or student information.
b. "Information" includes both University and student information.
c. "Personally owned resources" are information resources that are under the control of University employees or agents and are not wholly owned by the University.
a. General Policy
Users of information resources must protect (i) their online identity from use by another individual, (ii) the integrity of information resources, and (iii) the privacy of electronic information. In addition, users must refrain from seeking to gain unauthorized access, honor all copyrights and licenses and respect the rights of other users of information resources.
Users must refrain from seeking to gain unauthorized access to information resources or enabling unauthorized access. Attempts to gain unauthorized access to a system or to another person's information are a violation of University policy and may also violate applicable law, potentially subjecting the user to both civil and criminal liability. However, authorized system administrators may access information resources, but only for a legitimate operational purpose and only the minimum access required to accomplish this legitimate operational purpose.
(1) Prohibition against Sharing Identities
Sharing an online identity (user ID and password or other authenticator such as a token or certificate) violates University policy.
(2) Information Belonging to Others
Users must not intentionally seek or provide information on, obtain copies of, or modify data files, programs, passwords or other digital materials belonging to other users, without the specific permission of those other users.
(3) Abuse of Computing Privileges
Users of information resources must not access computers, computer software, computer data or information, or networks without proper authorization, or intentionally enable others to do so, regardless of whether the computer, software, data, information, or network in question is owned by the University. For example, abuse of the networks to which the University belongs or the computers at other sites connected to those networks will be treated as an abuse of University computing privileges.
The University is a non-profit, tax-exempt organization and, as such, is subject to specific federal, state and local laws regarding sources of income, political activities, use of property and similar matters. It also is a contractor with government and other entities and thus must assure proper use of property under its control and allocation of overhead and similar costs. Use of the University's information resources must comply with University policies and legal obligations (including licenses and contracts), and all federal and state laws.
(1) Prohibited Use
Users must not send, view or download fraudulent, harassing, obscene (i.e., pornographic), threatening, or other messages or material that are a violation of applicable law or University policy. In particular, contributing to the creation of a hostile academic or work environment is prohibited.
(2) Copyrights and Licenses
Users must not violate copyright law and must respect licenses to copyrighted materials. For the avoidance of doubt, unlawful file-sharing using the University's information resources is a violation of this policy.
(3) Social Media
(4) Political Use
University information resources must not be used for partisan political activities where prohibited by federal, state or other applicable laws, and may be used for other political activities only when in compliance with federal, state and other laws and in compliance with applicable University policies.
(5) Personal Use
University information resources should not be used for activities unrelated to appropriate University functions, except in a purely incidental manner.
(6) Commercial Use
University information resources should not be used for commercial purposes, including advertisements, solicitations, promotions or other commercial messages, except as permitted under University policy. Any such permitted commercial use should be properly related to University activities, take into account proper cost allocations for government and other overhead determinations, and provide for appropriate reimbursement to the University for taxes and other costs the University may incur by reason of the commercial use. The University's Chief Financial Officer and Vice President for Business Affairs will determine permitted commercial uses.
(7) Use of University Information
Users must abide by applicable data storage and transmission policies, including Admin Guide 6.3.1 (Information Security). Consult the University Privacy Officer (firstname.lastname@example.org) for more information.
d. Personally Owned Resources
Stanford does not require personnel to use their personally owned resources to conduct University business. Individual units within the University may permit such use, and users may choose to use their own resources accordingly. Any personally owned resources used for University business are subject to this policy and must comply with all Stanford requirements pertaining to that type of resource and to the type of data involved. The resources must also comply with any additional requirements (including security controls for encryption, patching and backup) specific to the particular University functions for which they are used.
e. Integrity of Information Resources
Users must respect the integrity of information and information resources.
(1) Modification or Removal of Information or Information Resources
Unless they have proper authorization, users must not attempt to modify or remove information or information resources that are owned or used by others.
(2) Other Prohibited Activities
Users must not encroach, disrupt or otherwise interfere with access or use of the University's information or information resources. For the avoidance of doubt, without express permission, users must not give away University information or send bulk unsolicited email. In addition, users must not engage in other activities that damage, vandalize or otherwise compromise the integrity of University information or information resources.
(3) Academic Pursuits
The University recognizes the value of legitimate research projects undertaken by faculty and students under faculty supervision. The University may restrict such activities in order to protect University and individual information and information resources, but in doing so will take into account legitimate academic pursuits.
f. Locally Defined and External Conditions of Use
Individual units within the University may define "conditions of use" for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines restrictions, and/or enforcement mechanisms. Where such conditions of use exist, the individual units are responsible for publicizing and enforcing both the conditions of use and this policy. Where use of external networks is involved, policies governing such use also are applicable and must be followed.
g. Access for Legal and University Processes
Under some circumstances, as a result of investigations, subpoenas or lawsuits, the University may be required by law to provide electronic or other records, or information related to those records or relating to use of information resources, ("information records") to third parties. Additionally, the University may in its reasonable discretion review information records, e.g., for the proper functioning of the University, in connection with investigations or audits, or to protect the safety of individuals or the Stanford community. The University may also permit reasonable access to data to third-party service providers in order to provide, maintain or improve services to the University. Accordingly, users of University information resources do not have a reasonable expectation of privacy when using the University's information resources.
Responsibility for, and management and operation of, information resources is delegated to the head of a specific subdivision of the University governance structure ("department"), such as a Dean, Department Chair, Administrative Department head, or Principal Investigator ("lead"). This person will be responsible for compliance with all University policies relating to the use of information resources owned, used or otherwise residing in their department.
The lead may designate another person to manage and operate the system, but responsibility for information resources remains with the lead. This designate is the "system administrator."
The system administrator is responsible for managing and operating information resources under their oversight in compliance with University and department policies, including accessing information resources necessary to maintain operation of the systems under the care of the system administrator. (See also section 4.b; system administrators should defer to the Information Security Office for access beyond that necessary to maintain operation of the system.)
The system administrator should:
b. Suspension of Privileges
System administrators may temporarily suspend access to information resources if they believe it is necessary or appropriate to maintain the integrity of the information resources under their oversight.
a. Reporting Violations
System users will report violations of this policy to the Information Security Office, and will immediately report defects in system accounting, concerns with system security, or suspected unlawful or improper system activities to the Information Security Office during normal business hours and the Office of the General Counsel emergency after-hours phone line at other times.
b. Accessing Information & Systems
Inspecting and monitoring information and information resources may be required for the purposes of enforcing this policy, conducting University investigations or audits, ensuring the safety of an individual or the University community, complying with law or ensuring proper operation of information resources. Only the University's Chief Information Security Officer (or designate) may authorize this inspection and monitoring.
c. Cooperation Expected
Information resource users are expected to cooperate with any investigation of policy abuse. Failure to cooperate may be grounds for cancellation of access privileges, or other disciplinary actions.
A user found to have violated this policy may also have violated the University Code of Conduct, the Fundamental Standard, the Student Honor Code, and/or other University policies, and will be subject to appropriate disciplinary action up to and including discharge, dismissal, expulsion, and/or legal action. The Chief Information Security Officer will refer violations to University units, i.e., Student Affairs for students, the supervisor for staff, and the Dean of the relevant School for faculty or other teaching or research personnel, if appropriate.
University's Chief Information Security Officer, or other person designated by the Vice President for Business Affairs and Chief Financial Officer, shall be the primary contact for the interpretation, monitoring and enforcement of this policy.
a. Student Discipline—See Student Life/Codes of Conduct/Fundamental Standard/Honor Code
b. Staff Discipline—See Guide Memo 2.1.16: Addressing Conduct & Performance Issues
c. Faculty Discipline—See the Statement on Faculty Discipline in the Faculty Handbook
d. Patents and Copyrights—See Research Policy Handbook 9.1 and 9.2; see also the Stanford University Copyright Reminder
e. Political Activities—See Guide Memo 1.5.1: Political Activities
f. Ownership of Documents—See Research Policy Handbook 9.2 and Guide Memo 1.5.5: Ownership of Documents
g. Incidental Personal Use—See Research Policy Handbook 4.1, and Guide Memo 1.5.2: Staff Policy on Conflict of Commitment and Interest
h. Security of Information—See Guide Memo 6.6.1: Information Security Incident Response
i. Privacy and Security of Health Information (HIPAA)—See Guide Memo 1.6.2: Privacy and Security of Health Information
j. Data Classification, Access and Transmittal and Storage Guidelines—See http://dataclass.stanford.edu.
k. Endpoint Compliance—See http://securecomputing.stanford.edu/endpoint_compliance.html
l. Online Accessibility––https://ucomm.stanford.edu/policies/accessibility-policy/
The purpose of this policy is to ensure the protection of Stanford's information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture. This Guide Memo states requirements for the protection of Stanford's information assets.
This policy is applicable to all University students, faculty and staff and to all others granted use of Stanford University information resources. Every user of any of Stanford's information resources has some responsibility toward the protection of those assets; some offices and individuals have very specific responsibilities. This policy refers to all University information resources whether individually-controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the University. This includes networking devices, personal digital assistants, telephones, wireless devices, personal computers, workstations, mainframes, minicomputers, and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.
The purpose of information security is to protect the information resources of the University from unauthorized access or damage. The underlying principles followed to achieve that objective are:
a. Information Resource Availability
The information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure, and any other such resources, are available to support the teaching, learning, research, or administrative roles for which they are designated.
b. Information Integrity
The information used in the pursuit of teaching, learning, research, or administration can be trusted to correctly reflect the reality it represents.
c. Information Confidentiality
The ability to access or modify information is provided only to authorized users for authorized purposes.
d. Support of Academic Pursuits
The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives.
e. Access to Information
The value of information as an institutional resource increases through its appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
All University information is classified into one of 4 levels based on sensitivity and risk. These classifications take into account legal protections, contractual agreements, ethical considerations, privacy issues, and strategic or proprietary worth. The classification level determines the security protections and access authorization mechanisms which must be used for the information. Security guidelines can be found in the Stanford Minimum Security Guidelines. The information classifications are as follows:
a. Prohibited Information
Information is classified as "Prohibited" if protection of the information is required by law or government regulation, or Stanford is required either to provide notice to the individual if information is inappropriately accessed or to report unauthorized access to the government
b. Restricted Information
Information is classified as "Restricted" if (i) it would otherwise qualify as "Prohibited" but it has been determined by the Data Governance Board that prohibiting information storage on Computing Equipment would significantly reduce faculty, staff, or student effectiveness when acting in support of Stanford's mission, or (ii) it is listed as Restricted in the Classification of Common Data Elements.
c. Confidential Information
Information is classified as "Confidential" if (i) it is not considered to be Prohibited or Restricted and is not generally available to the public, or (ii) it is listed as Confidential in the Classification of Common Data Elements.
d. Public Information
All information which does not fall into one of these categories is considered to be "public." Please see the Information Security Office for a list of frequently used public information.
a. Information Security Officer
The Information Security Officer is responsible for providing interpretation of this and other related policies and disseminating related information.
b. University Privacy Officer
The University Privacy Officer is responsible for developing and implementing policies and procedures governing the privacy of data that the University is required or elects to protect.
c. Data Governance Board
The Data Governance Board is an advisory group charged with oversight of policies and procedures relating to the protection and use of Stanford's non-public information.
d. Business and Data Owners
System Business and Data Owners are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control.
e. System Administrators
System Administrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care at the direction of the Business and Data Owners.
f. System Developers and Integrators
System Developers and Integrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care at the direction of the Business and Data Owners.
Every user of Stanford's information resources is responsible for the application of this and related policies to the systems, information, and other information resources which they use, access, transmit or store.
h. Third-party Affiliates
Stanford expects all partners, consultants and vendors to abide by Stanford's information security and privacy policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Stanford's information security and privacy policies.
Violations of this policy include, but are not limited to: accessing information to which the individual has no legitimate right; enabling unauthorized individuals to access information; disclosing information in a way that violates applicable policy, procedure, or other relevant regulations or laws; inappropriately modifying or destroying information; inadequately protecting information; or ignoring the explicit requirements of Data Owners for the proper management, use, and protection of information resources.
Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, collective bargaining agreements, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing applicable legal procedure.
a. Any School or Department found to have violated this policy may be held accountable for the financial penalties and remediation costs associated with a resulting information security incident.
b. Third party vendors found to have violated this policy may incur financial liabilities, in addition to termination of contract.
Information Security Office
This Guide Memo states requirements for identifying and authenticating users of Stanford computer systems and networks, and describes centrally-supported identification and authentication facilities.
To ensure the security and integrity of both University data and data belonging to individuals, all owners of Stanford computer systems and networks must develop and implement access control policies. This Memo does not describe possible policies nor specify how to choose one; however, systems with non-public resources to protect should have policies that base access control on user identities.
Authentication is the secure identification of system users. The system owner is responsible for determining which authentication method to use among those that may be available for a particular system. However, system owners are strongly encouraged to rely on the authentication services provided by Stanford's central computing organization rather than using system-specific authentication methods. This service provides secure authentication and consistent campus-wide identification.
It is University policy that all University business for which computer-based forms and actions have been released will be done using those computer-based systems; paper forms are no longer accepted. This policy applies to all aspects of qualifying transactions, including initiation, routing, processing by Schools and VP Area offices, and transmission to and processing by central administrative offices. Secure identification of the participants in all such transactions is crucial to the successful conduct of University business. The centrally-supported authentication service described in this Memo is designed to support University business requirements.
a. Linked Identifiers
Stanford maintains a set of linked records identifying all employees, students, and others who use the University's computing resources. These records correlate SUNet ID, University ID, and Stanford Identification Card records.
b. Management of Identifiers
(1) Uniqueness. Each identifier (University ID or SUNet ID) is unique; that is, each identifier is associated with a single person or other entity.
(2) One Identifier per Individual. An individual may have no more than one University ID number and one personal SUNet ID.
(3) Non-Reassignment. Once an identifier is assigned to a particular person it is always associated with that person. It is never subsequently reassigned to identify another person or entity. Alternative IDs (that is, alternative names registered along with a personal SUNet ID) may be reassigned after a waiting period.
a. Stanford University Network Identifiers
SUNet IDs consist of alphabetic characters and digits, and are chosen by their users. Personal SUNet IDs are from three to eight characters in length. Other SUNet IDs may be up to 256 characters in length.
b. Types of SUNet IDs
(1) University-eligible Personal SUNet IDs
a) Full (University-eligible) Personal SUNet IDs are available to:
(b) Base (University-eligible)
Personal SUNet IDs are available to:
(2) Sponsored Personal SUNet IDs are available to all others, subject to the following conditions:
c. Establishing a SUNet ID
SUNet IDs are established and maintained via online procedures. Note that employees and students must have a University ID number in order to obtain a SUNet ID.
An eight-digit University identification number is automatically assigned to regular, continuing employees by the HRMS system and to students by the PeopleSoft Student Administration system. This number appears on the printed Stanford Identification Card (see Guide Memo 2.4.3: Stanford Identification Cards).
IDs are available to identify other kinds of entities such as groups, departments, mailing lists, roles, computer-based services, etc. For more information, submit a help request or phone the Stanford IT Service Desk at 650-725-4357.
a. Authentication Methods
Authentication methods involve presenting both a public identifier (such as a user name or identification number) and private authentication information, such as a Personal Identification Number (PIN), password, or information derived from a cryptographic key. Authentication methods currently supported by Stanford's central computing organization include:
b. Eligibility for Authentication Entry
A user must be associated with an entry in the authentication service to be able to use most centrally-supported systems and services.
(1) University ID and Regular Personal SUNet ID
Eligibility for an entry in the authentication service begins when the individual accepts the offer of student registration or employment. Eligibility ends when a person's active association with the University ends; i.e., when an employee is no longer employed (and does not have emeritus status) or a student is no longer registered. In certain circumstances, a grace period may be allowed as a courtesy after eligibility ends. See University IT procedures.
(2) Sponsored SUNet ID
A sponsored SUNet ID is sponsored for a specific period of time. The sponsor determines the length of sponsorship; sponsorship must be renewed to keep the ID valid. There is no grace period: the entry becomes invalid immediately at the end of the sponsorship period.
An entry may be reactivated if the individual subsequently rejoins the University, either via regular association or sponsorship.
The use of an authentication entry may be revoked if it is used in a manner inconsistent with Stanford policies or if an individual is subject to other administrative action that denies them University privileges.
c. User Responsibilities
(1) Official Actions
Use of the authentication service to identify oneself to an on-line system constitutes an official identification of the user to the University, in the same way that presenting an ID Card does. Users can be held responsible for all actions taken during authenticated sessions.
Regardless of the authentication method used, users must use only the authentication information that they have been authorized to use; i.e., must never identify themselves falsely as another person or entity.
Regardless of the authentication method used, users must keep their authentication information confidential; i.e., must not knowingly or negligently make it available for use by an unauthorized person.
(4) Reporting Problems
Anyone suspecting that their authentication information has been compromised should contact the Information Security Office at email@example.com or by entering a help request or by phoning the Stanford IT Service Desk at 650-725-4357.
(5) Security Precautions
Users are strongly encouraged to change their password regularly (at least once every three months), to limit possible abuse of passwords that may have been compromised without the user's knowledge. Passwords should be chosen so that they are not easily guessable; e.g., not be based on the user's name or birth date.
(6) Disciplinary Action
Individuals who are found to have knowingly violated one of these provisions will be subject to disciplinary action. The possible disciplinary actions for violations, which can include termination of employment or student status, will depend on the facts and circumstances of each case.
Kerberos, a sophisticated cryptographic authentication system, is the preferred authentication method for use with centrally-supported systems and services at Stanford.
Stanford's Kerberos system uses personal SUNet IDs to name its entries for people. Other entities, such as network-based services, also have Kerberos entries.
Each Kerberos entry is associated with a srvtab or keytab based on a password hash maintained by the user. Kerberos software, installed on end-user computers, allows users to authenticate to network services using their SUNet ID and password.
c. Changing a Password
Password changes may be made using standard Kerberos software or via University IT. The Kerberos system checks proposed new passwords and rejects those that are likely to be easily guessable.
d. Reissuing Passwords
When a SUNet ID holder forgets the password associated with a Kerberos entry, or if it is compromised and no longer private, he or she should immediately try to reset it themselves at https://accounts.stanford.edu/ or contact the Stanford IT Service Desk at (650) 725-4357 for assistance in having a new password issued.
This section contains recommendations and requirements for systems and services that use local identification and authentication methods rather than the centrally-supported methods.
a. Use SUNet IDs
Systems should use personal SUNet IDs to identify their users. This will be less confusing for users, and will ease future transition to centrally-supported authentication.
b. Avoid Clear-Text Passwords
Systems may not transmit reusable passwords across the network unencrypted. Such passwords are vulnerable to capture and abuse.
c. Support Password Quality
Systems should check proposed passwords and reject those that are likely to be easily guessable.
a. SUNet IDs
(1) Cognizant Office
The office responsible for implementing policy on SUNet IDs is the Office of the CIO.
Support information is available at https://uit.stanford.edu/service/accounts/sunetids or submit a help request or phone the Stanford IT Service Desk at (650) 725-4357.
(1) Cognizant Office
The office responsible for implementing policy on the Kerberos authentication system is the Office of the CIO.
Support information is available by submitting a help request or phone the Stanford IT Service Desk at (650) 725-4357.
c. University IDs
(1) Cognizant Office
The offices responsible for implementing policy on University IDs are University Human Resources (for employees) and the Registrar's Office (for students).
Establishes policy for use of electronic communication forums at Stanford.
From time to time, University departments, faculty, students and others may host electronic communication forums, such as chat rooms, news groups, bulletin boards or websites, whereby various parties may contribute their thoughts on various subjects and where such communication is made available for others to read and comment upon. For purposes of this policy, these sites are collectively referred to as "forums."
a. Connection With University Activities
Forums that either use the Stanford.edu, Stanford.org or other Stanford domains or use University computing facilities should be established only in connection with legitimate activities of the University.
b. University Role
Unless specifically sponsored by an academic or administrative unit of the University, the University's role in connection with these forums will be solely as a passive Internet service provider.
This Guide Memo describes the procedures to be followed when a computer security incident is discovered to have occurred involving an Academic or Administrative Computing System operated by Stanford University, its faculty, students, employees, consultants, vendors or others operating such systems on behalf of Stanford. It also describes the procedures to be followed when Prohibited or Restricted Information residing on any computing or information storage device is, or may have been, inappropriately accessed, whether or not such device is owned by Stanford. This policy outlines the procedures for decision making regarding emergency actions taken for the protection of Stanford's information resources from accidental or intentional unauthorized access, disclosure or damage.
This policy is applicable to all University students, faculty, staff, and to all others granted use or custodianship of Stanford University information resources ("University Community").
The purpose of information security incident response is to:
a. mitigate the effects caused by such an incident,
b. protect the information resources of the University from future unauthorized access, use or damage, and
c. ensure that Stanford fulfills all of its obligations under University policy, and federal and state laws and regulations with respect to such incident.
Stanford recognizes the need to follow established procedures to address situations that could indicate the security of the University's information assets may have been compromised. Such procedures include ensuring the appropriate level of University management becomes involved in the determination of actions implemented in response to an information technology security incident.
A standard University-wide approach to information security is important in order to protect the security of Stanford's intellectual capital and to ensure that Information Security Incidents are handled properly, effectively and in a manner that minimizes the adverse impact to the University. Every user of any of Stanford's information resources has responsibility toward the protection of the University's information assets; certain offices and individuals have very specific responsibilities.
a. Academic Computing System
Any application, or information system, that directly or indirectly deals with or supports the University's primary mission of teaching, learning and research.
b. Administrative Computing System
Any application, or information system, that directly or indirectly deals with or supports financial, administrative, or other information that is an integral part of running the business of the University (as defined in Guide Memo 6.7.1: Administrative Computing Systems).
c. Electronic Information Security Incident
An Electronic Information Security Incident is defined as any real or suspected adverse event in relation to the security of computer systems, computer networks, electronic Prohibited information or electronic Restricted Information. Examples of incidents include:
d. Information Security Incident
An Electronic Information Security Incident or a Non-electronic Information Security Incident.
e. Non-electronic Information Security Incident
Real or suspected theft, loss or other inappropriate access of physical content, such as printed documents and files.
f. Prohibited Information
Information defined as Prohibited.
g. Restricted Information
Information defined as Restricted.
A member of the University Community who becomes aware of an Information Security Incident should immediately:
a. Disconnect the compromised system and equipment from Stanford's network.
b. Avoid making any updates or other modifications to software, data, or equipment involved or suspected of involvement with an Information Security Incident until after the Information Security Office has completed its investigation and authorizes such activity.
c. Contact the University's Information Security Office via HelpSU or by calling (650) 723-2911.
When an Information Security Incident is reported, the University’s Chief Information Security Officer (CISO) will do the following:
a. The CISO will investigate the Information Security Incident. In order to minimize the impact of the Information Security Incident on the University and in order to complete a proper investigation, the CISO has the authority to restrict information system access or operations to protect against unauthorized information disclosures. In order to complete the investigation, the CISO may convene a preliminary fact-finding working group comprised of relevant business and technical personnel.
b. If the CISO concludes that applicable federal or state laws or regulations may have been violated, the CISO will notify the Office of the General Counsel, which will, in turn, notify law enforcement agencies if appropriate.
c. If the CISO concludes that there is a possibility of unauthorized access to Restricted or Prohibited Information, or other sensitive information, the CISO will notify the University Privacy Officer, who will convene an Information Security Incident Response Team.
d. If appropriate, the CISO will notify offices of the Deans, Vice Provosts and Vice Presidents with responsibility for areas affected by the Information Security Incident.
e. If the CISO determines that an employee may not have carried out their assigned tasks as instructed or in accordance with University rules and policies, the CISO will notify the employee’s manager and the Vice President for Business Affairs and CFO. If the University opens an investigation into the situation, the CISO will cooperate with the employee’s manager and/or Stanford’s Human Resources Group in its investigation of the incident to determine appropriate corrective or disciplinary action, if any. The office conducting the investigation and making the recommendation will complete and submit to the appropriate parties all supporting documentation related to the investigation and recommended action.
Based on information provided by the CISO and in consultation with the Office of the General Counsel, the University’s Privacy Officer will convene an Information Security Incident Response Team (ISIRT) to develop an appropriate Information Security Incident Response Plan (Plan). Depending on the circumstances of each situation, the Privacy Officer shall include in the ISIRT representatives of some or all of the following offices:
The ISIRT, led by the University Privacy Officer, will develop and execute communication and other action plans to ensure:
a. Appropriate action is taken in a timely manner, including reporting, notification and other communication of the Information Security Incident, as required by law or otherwise deemed appropriate.
b. Appropriate progress reports are made on the Information Security Incident and execution of the Plan, including to:
In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of the University and others impacted by the incident.
The University Privacy Officer will also be responsible for documenting the deliberations and decisions of the ISIRT as well as all actions taken pursuant to ISIRT deliberations.
The Information Security Office, jointly with the Internal Audit Department, will be responsible for writing a final report on the incident and the ensuing investigation (Report), which summarizes findings regarding the Information Security Incident and, if appropriate, makes recommendations for improvement of related information security practices and controls. The Report will be distributed to the Vice President for Business Affairs and CFO, and other appropriate University office(s), if any.
Specific guidelines, procedures, standards, and best practices for secure computing can be found at: http://securecomputing.stanford.edu.
Additional information can be found at:
This Guide Memo describes the policy that governs the Administrative Computing Systems at Stanford University and identifies Administrative Computing System ownership, development and management responsibilities. This policy applies to all computerized systems involved with the creation, updating, processing, outputting, distribution, and other uses of administrative information at Stanford.
Every Administrative Computing System at Stanford University must have a designated Business Owner who ensures that the system meets the business needs of the University and is appropriately available, secure and sustainable.
The purpose of this policy is to establish system ownership responsibility and to ensure that each system meets its functional requirements, is appropriately documented, is secure and controlled, has been adequately tested, and is maintainable.
The specifications in this policy are independent of system architecture and delivery platforms—i.e., it makes no difference whether an application resides in mainframe, web, client/server, peer-to-peer, or other present or future environments. This policy applies to applications developed at Stanford, acquired from external vendors, built from open-source components, as well as those extended from existing or purchased applications, whether the systems are developed in central offices, in schools or in departments. This policy applies to all administrative applications that deal with financial, administrative, or other information that is an integral part of running the business of the University.
The standards in this policy specifically apply to the Business Owner of any Administrative Computing System at Stanford University and to all persons who develop, implement, maintain or use any University Administrative Computing System.
Administrative Computing System
Any computing system that directly or indirectly deals with or supports financial, administrative, or other information that is an integral part of running the business of the University.
The Business Owner of an Administrative Computing System is usually the owner of the primary business functions served by the system, the system's largest stakeholder. When the system serves several different functional business areas of the University, the Vice President of Business Affairs and Chief Financial Officer will designate the Business Owner.
The Dean, Director or Department Head of the administrative department having primary responsibility for creation and maintenance of the data content in an Administrative Computing System. In some cases, a single Administrative Computing System may have multiple Data Owners.
Manages the day-to-day operation of the computer system(s) within an organization that supports the Administrative Computing System. These support functions may include any or all of the following functions: database management, software distribution and upgrading, user profile management, version control, backup & recovery, system security and performance and capacity planning.
A person who designs and writes software. The term generally refers to designers and programmers in the commercial software field. However, it may also refer to professionals developing internal business applications within an enterprise. With increasing complexity of technology, and organizations' desire for complete solutions to information problems, requiring hardware, software and networking expertise in a multi-vendor environment, System Developers are integral to the implementation of Administrative Computing Systems.
A person who takes responsibility for delivering a system solution which will solve a business problem. Systems Integrators are individuals or organizations that build systems from a variety of diverse components. With increasing complexity of technology, and organizations' desire for complete solutions to information problems, requiring hardware, software and networking expertise in a multi-vendor environment, Systems Integrators are often key in the implementation of Administrative Computing Systems.
Any individual who interacts with the computer at an application level. Programmers, System Administrators and other technical personnel are not considered System Users when working in a professional capacity on the Administrative Computer System.
a. Business Owner
A Business Owner who does not use the services of Administrative Systems for design, development, integration or maintenance of an Administrative Computing System must assume Business Owner, System Developer, System Integrator and System Administrator responsibilities.
(2) Development Phase
(3) Production Phase
b. Data Owner
c. System Developer
d. System Integrator
e. System Administrator
System Administrators of distributed computing systems, remote network servers, or small stand alone systems may in fact perform the roles, and have the responsibilities of, Business Owner, Data Owner, System Developer, System User and System Administrators in succession, and on an ongoing basis.
f. System User
a. Computer and Network Usage
Guide Memo 6.2.1: Computer and Network Usage
b. Information Security
Guide Memo 6.3.1: Information Security
c. Information Security Incident Response
Guide Memo 6.6.1: Information Security Incident Response
d. Specific security guidelines, procedures, standards, and practices
Information Security Office website, Secure Computing section.
e. Online Accessibility Policy