Security Review Process
Consistent with its charter to protect Stanford's computing and information assets as well as to comply with pertinent laws, regulations, and policies, the Information Security Office (ISO) is responsible for conducting security reviews of new services (or substantive change to existing services) that handle Prohibited or Restricted Data. Reviews of systems handling Confidential Data are optional, and ISO may conduct such reviews upon request.
Because information security reviews often take substantial time to complete, the Business Owner is encouraged to initiate the review process and complete the preparation steps listed below as early as possible in the project. Note that in the interest of expediency, many of these steps can be performed in parallel.
- Preparatory steps by Business Owner:
- If Business Owner isn't the Data Owner, identify and involve Data Owner in the Security Review Process.
- Using the Data Classification Guide (http://dataclass.stanford.edu), determine the type(s) of Stanford data involved (Prohibited, Restricted, Confidential).
- If only Confidential data are involved, the information security review is optional.
- If so, engage OGC to begin discussions with the vendor and to determine what the indemnification amount should be. Note that establishing a BAA with a vendor can be a lengthy process.
- Arrange a kickoff meeting between ISO, Business Owner, and other key participants (e.g., vendor, Stanford implementation team, Data Owner).
- For Prohibited or Restricted Data (optional for Confidential Data), request all available third party security certifications/attestations (preferably based on standards such as: PCI DSS, ISO 27002, NIST 800-53, SSAE-16 SOC 2, OWASP, or equivalent) from the vendor that are applicable to the service / application under consideration.
- If necessary, vendor can submit a redacted copy of certifications to safeguard sensitive information.
- Stanford reserves the right to request and review the vendor's third party certifications/attestations annually.
- If provided attestations are insufficient or not applicable, request additional information from vendor such as internal policies and procedures, software development life cycle (SDLC) documentation, disaster recovery plans, penetration test results, etc.
- Follow-up meetings with vendor and/or Stanford Business Owner, Data Owner, and implementation team may be necessary.