Communications from Senior University Management
February 13, 2014 letter regarding information security
Vice President for Business Affairs Randy Livingston announces the formation of a faculty committee to assess the information security challenges facing Stanford and help chart institutional strategies for addressing them. Several elements of the information security mandates announced on January 15 for Stanford employees will be suspended in the meantime.
On January 15, I sent you a communication outlining new information security mandates for University employees. Since that time I have heard from a number of faculty expressing their concerns about the potential impact of the mandates on individual privacy and research productivity. While all of us share the goal of containing and mitigating information security risks, we want to respect and protect individual privacy, and avoid impairing the University's research efforts.
On February 11, I met with the Faculty Senate Steering Committee to discuss faculty concerns. I proposed formation of a special faculty committee to assess the information security and privacy challenges facing Stanford, help chart an institutional strategy that reflects the diverse needs of University stakeholders, and partner with the administration in revising the mandates. The faculty committee will be formed within the next two weeks and will be led by Andy Fire, Professor of Pathology and Genetics, and co-chaired by David Palumbo-Liu, Professor of Comparative Literature and English, who are also members of the Faculty Senate Steering Committee.
While the committee undertakes its review, all agree that we should suspend several elements of the mandates as described below:
1. Windows XP - The mandate to migrate from Windows XP laptops and desktops will be suspended for devices that manage scientific instruments or run unique software applications that cannot be easily upgraded. The April 8 deadline will remain for laptops and desktops used as standard business systems.
2. BigFix - The deadline for installation of BigFix will be suspended for systems that do not store or access personally identifiable information (PII) such as social security and credit card numbers or protected health information (PHI). BigFix must be installed on University and personally owned systems that store or can access PII/PHI no later than May 28.
3. Identity Finder (IDF) - This tool, which scans computer files to identify PII that a user may have downloaded unwittingly, will not be used except with specific consent of the individual whose files are being scanned.
4. Encryption - The requirement to encrypt laptop and desktop devices will remain with the following deadlines:
- New University-owned laptops and desktops must be encrypted immediately following purchase
- SWDE encryption must be in place on all University-owned and personally owned devices that store or can access PHI in any manner by February 28
- SWDE must be in place on all devices storing more than 500 PII records by July 31, and with more than 10 PII records by November 30. PII belonging to the device user and family members, such as would be found on copies of an individual's tax return, will not be counted under this requirement.
- With the exceptions of the devices that manage scientific instruments without PHI/PII, we will pursue a goal of having encryption in place on all laptops and desktops by May 31, 2015.
5. Encryption for Mobile Devices - The requirement to install Mobile Device Manager (MDM) is suspended for those individuals with no access to PHI. However, for those with access to PHI, the original mandate to install MDM on University-owned and personally owned mobile devices by February 28 will remain.
6. File Backup - Frequent and secure file backup is highly recommended for all systems and all members of the Stanford community. We are suspending the requirement to use a University or department managed file backup service, but these services remain available to all members of the Stanford community.
Once the faculty committee is formed, we will communicate its membership and encourage all of you to provide input to them.
We also will be issuing additional communications soon providing tips for maximizing your own computer security and answering common questions we have been receiving from the Stanford community. Strengthening our information security is an imperative for the University, but we intend to do so in a manner that is consultative and using transition processes that are as simple as possible for everyone to implement. Thank you for your partnership in these efforts.
Vice President for Business Affairs