Skip to content

Security Review Process

Consistent with its charter to protect Stanford's computing and information assets as well as to comply with pertinent laws, regulations, and policies, the Information Security Office (ISO) is responsible for conducting security reviews of new services (or substantive change to existing services) that handle Prohibited or Restricted Data. Reviews of systems handling Confidential Data are optional, and ISO may conduct such reviews upon request.

Because information security reviews often take substantial time to complete, the Business Owner is encouraged to initiate the review process and complete the preparation steps listed below as early as possible in the project. Note that in the interest of expediency, many of these steps can be performed in parallel.

  1. Preparatory steps by Business Owner:
    1. If Business Owner isn't the Data Owner, identify and involve Data Owner in the Security Review Process.
    2. Using the Data Classification Guide (http://dataclass.stanford.edu), determine the type(s) of Stanford data involved (Prohibited, Restricted, Confidential).
      • If only Confidential data are involved, the information security review is optional.
    3. For Prohibited or Restricted Data (optional for Confidential Data), identify the vendor contact(s) who ISO can contact to request any available third party security certifications/attestations (preferably based on standards such as: PCI DSS, ISO 27002, NIST 800-53, SSAE-16 SOC 2, OWASP, or equivalent) from the vendor that are applicable to the service / application under consideration.
    4. Working with OGC as necessary, identify applicable laws and regulations (FERPA, HIPAA, HITECH, PCI DSS, GLBA, FISMA, etc.) and determine whether a business associate agreement (BAA) will be needed with the vendor.
      • If so, engage OGC to begin discussions with the vendor and to determine what the indemnification amount should be. Note that establishing a BAA with a vendor can be a lengthy process.
    5. Engage OGC to execute a non-disclosure agreement (NDA) with the vendor if necessary, ensuring that ISO is included among those permitted to receive confidential information from the vendor.
    6. Confirm that vendor is willing to include Stanford's data security Terms and Conditions clauses (http://securecomputing.stanford.edu/ASP_security.html) in the contract.
      • If not, coordinate with OGC and Procurement to negotiate a mutually acceptable replacement.
    7. Supply diagrams and supporting documentation explaining the system architecture, data flows, and integration points with Stanford's systems.
    8. Open a HelpSU ticket (https://helpsu.stanford.edu --> select "Information Security" and "Request a Security Review") to initiate the review with ISO, submit gathered information, and track correspondence for later reference.
  2. ISO steps:
    1. Arrange a kickoff meeting between ISO, Business Owner, and other key participants (e.g., vendor, Stanford implementation team, Data Owner).
    2. For Prohibited or Restricted Data (optional for Confidential Data), request all available third party security certifications/attestations (preferably based on standards such as: PCI DSS, ISO 27002, NIST 800-53, SSAE-16 SOC 2, OWASP, or equivalent) from the vendor that are applicable to the service / application under consideration.
      • If necessary, vendor can submit a redacted copy of certifications to safeguard sensitive information.
      • Stanford reserves the right to request and review the vendor's third party certifications/attestations annually.
    3. For Prohibited Data or for Restricted Data with third party services, contact DGB to initiate approval process as necessary.
    4. Review submitted documentation, including diagrams and third party security certifications.
      • If provided attestations are insufficient or not applicable, request additional information from vendor such as internal policies and procedures, software development life cycle (SDLC) documentation, disaster recovery plans, penetration test results, etc.
      • Follow-up meetings with vendor and/or Stanford Business Owner, Data Owner, and implementation team may be necessary.
    5. Perform risk assessment, given data types and sensitivity, third party attestations, applicable laws and regulations, and security controls in place.
    6. Issue guidance to Business Owner including identified risks, suggested risk mitigations, and implementation and configuration recommendations.
  3. Business owner uses ISO guidance as input to business decision.
Last modified: 06/03/2014 04:25:41 PM