Have a Question? Search our Knowledge Base.

Stanford SoE Security FAQ

Mahesh Bhavana -

Privacy

Q: How is my private information safe when the encryption keys are shared with ITS?  Aren't we making it easy for the hackers by holding all the keys in one place? 

A:  Encryption keys are encrypted in transit and are stored on security hardened ITS servers.  Just having the encryption key does not mean a hacker can remotely access your data.  They would need to have the encryption key and your physical machine to see your data.  ITS is offering the central storage of all encryption keys as a safety measure so we can help the users if they ever get locked out of their machine. 

 

Q: Does every single machine connected to Stanford's WIFI or LAN need to have Tivoli End Point Manager and Identity Finder running?

A: Yes.  All University employees must comply with these requirements. They apply to all University-owned laptops, desktops, smart phones and tablets ("devices"), personally-owned devices used on the Stanford Network, and personally-owned devices that could be used to access Protected Health Information (PHI) or other High Risk Data.

Reference Link:

http://www.stanford.edu/group/security/securecomputing/endpoint_com...

UPDATE: This provision of the security mandate has been placed on hold while the Faculty Privacy Council meets to review the policy.

 

Q: Do non-Stanford owned machines need to comply with the new security mandates?

A: Home machines, and machines only accessing the Stanford Guest Network, are encouraged to follow the security mandate but there is not mandate for these machines today.  All other machines must comply.  

 

Q: I feel centralized management of computer h/w and s/w using BigFix is intrusive. 

A: BigFix must be installed on University and personally owned systems that store or can access PII/PHI no later than May 28.  This is to ensure "safe harbor" if the data on the device (computer or mobile) is ever compromised.  Information collected by BigFix is limited to the following list: https://itservices.stanford.edu/service/bigfix/retrieved_properties

 

Q: Are Stanford University and Stanford School of Medicine security requirements different?

A: Yes, Stanford School of Medicine has some additional requirements, such as (but not limited to):

  • All individuals in the School of Medicine must complete a data security attestation.
  • Windows XP upgrade requirement will be suspended for devices that manage specialized scientific applications or equipment. The School of Medicine has developed a more secure network to safeguard these specialized resources. If you are interested in having your devices on this network, please contact IRT Security.

For additional information: https://med.stanford.edu/datasecurity/

 

Backup

Q: I currently use File Vault 2 on my computer for encryption. Does this satisfy the security requirements?

A: No, encrypted computers need to be auditable.  Only machines encrypted with the ITS SWDE tools will be auditable in the event of a loss or theft of laptop.  In addition, ITS requires other security software packages to be installed on your computer such as Tivoli End Point Manager, Identity Finder etc.  Your computer files also need to be backed up to a centralized location using cloud storage (Box) or network storage (CrashPlan).

 

Q: CrashPlan allows IT to monitor my computer and that doesn’t make me comfortable.

A: IT only monitors to verify the backups are happening.  Your data is encrypted and stored in a secure manner. 

 

Encryption

Q: How do I recover my encryption key out of escrow with ITS?

A: If you lose your passphrase, submit a HelpSU request or call 5-HELP and ask for a temporary Whole Disk Token Recovery (WDTR). An IT Services representative will provide a temporary recovery passphrase.  This is performed using the NERK tool by the ITS.

 

Q: I have bootcamp installed on my Mac so I can use either operating system I need at the time. How can I support whole disk encryption?

A: In order to be whole-disk encrypted, Macintosh computers cannot have an actual Windows partition. Whole-disk encrypted Macs should run Windows within MacOS via virtualization such as Fusion or Parallels. If needed, please consult your local technical support staff for help with this process.

 

Q: If i have a VM running on my workstation and my workstation has whole disk encryption, do I also need to encrypt the VM? 

A: No, whole disk encryption will take care of both the host and also all virtual machines. 

 

Q: How robust is the disk encryption software?

A: BitLocker is supported by Microsoft and is built into Windows 7.  FileVault 2 for Mac OS X is also supported by Apple.  Both these software packages support full disk encryption.

 

Q: I already have MDM on my devices - am I set?

A: If your mobile device is enrolled, you don’t have to take any further actions now. You can check your enrollment at mdm.stanford.edu

 

Q: Do I have a TPM?

A: A Trusted Platform Module, or commonly known as TPM chip, is supported on recently manufactured Windows platform hardware (Apple does not support a TPM chip).  From the Windows start menu select “Run” and run the TPM detection tool by typing “tpm.msc” in the window next to Open and selecting OK.  A new window will open and display TPM device information, if you have one.  If you are still unsure, contact SoE IT help desk at soeithelp@stanford.edu

 

Q: Is there a MDM registration enforcement date?

A: For devices that have or can access PHI and/or PII, the deadline is 2/28/2014

 

Audience (to whom does this apply)

Q: For staff checking email at home from their personal computers - do they have to follow the guidelines, or is webmail considered safe?

A: No, personal computers not on the Stanford network do not have to follow the guidelines.

If needed, the Stanford Secure Email service is designed for faculty and staff who need to use email to send Moderate or High Risk Data.  For more information visit the following link:

http://itservices.stanford.edu/service/secureemail

 

Q: I have personal information on my iDevice. Do I have to register with MDM?

A: Yes.  All University employees must comply with Endpoint Compliance requirements.  This includes personally-owned devices used on the Stanford Network, and personally-owned devices that could be used to access Protected Health Information (PHI) or other High Risk Data.

Reference Link:

http://www.stanford.edu/group/security/securecomputing/endpoint_com...

For privacy related information visit the following site:

https://itservices.stanford.edu/service/mobiledevice/management/pri...

 

Q: Do those new security rules also apply to student’s/professor’s personal computers?

A: Only if the computers and/or mobile devices that have or can access PHI and/or PII.

 

Upgrade

Q: I have 4 XP machines. Do I have to pay to upgrade?

A: Qualified computers are eligible for Windows 7 Enterprise licenses under the current campus wide licensing agreement at no additional cost to the user. 

 

Q: Do I have to upgrade my virtual machine running Windows XP?

A: Yes, virtual machines are subject to all the same requirements.

 

Q: I use Windows XP at home to access my webmail, do I need to upgrade?

A: Personally owned machines used at home or on the wireless Stanford guest network are encouraged to follow these mandates, but are not required at this time.

 

Q: I have an expensive piece of research equipment that depends on a computer running XP.  Do I need to upgrade?

A: Stanford’s Information Security Office will be handling exception requests. Follow the the “Request a Compliance Variance” link from the Secure Computing website or click on this link: http://stanford.io/exempt

UPDATE: This provision of the security mandate has been placed on hold while the Faculty Privacy Council meets to review the policy.

 

Q: I run Linux as my desktop operating system. Do I need to do anything?

A: Linux systems are temporarily exempted until our encryption tools are available on this platform.  All Linux systems should still backup their files.

 

Q: What do I do if I have software which runs on a XP machine and has no support going forward?

A: The mandate to migrate from Windows XP laptops and desktops will be suspended for devices that manage scientific instruments or run unique software applications that cannot be easily upgraded.

 

Q: I am buying a new device for business and personal use, do I get it configured now for the security upgrade or wait till later?

A: You should get your new device configured now for the security upgrade.

Computers:

Tivoli End-point Manager (BigFix) must be installed on University and personally owned systems that store or can access PII/PHI no later than May 28.

Identity Finder (IDF), which scans computer files to identify PII that a user may have downloaded unwittingly, will not be used except with specific consent of the individual whose files are being scanned.

Encryption - The requirement to encrypt laptop and desktop devices will remain with the following deadlines:

  • New University-owned laptops and desktops must be encrypted immediately following purchase
  • SWDE encryption must be in place on all University-owned and personally owned devices that store or can access PHI in any manner by February 28
  • SWDE must be in place on all devices storing more than 500 PII records by July 31, and with more than 10 PII records by November 30. PII belonging to the device user and family members, such as would be found on copies of an individual's tax return, will not be counted under this requirement.
  • With the exceptions of the devices that manage scientific instruments without PHI/PII, we will pursue a goal of having encryption in place on all laptops and desktops by May 31, 2015.

Mobile Devices: For devices that have or can access PHI and/or PII, the deadline to get the security upgrade is 2/28/2014

 

Security

Q: How do I protect confidential data on my laptop that is not Stanford based?  Is it exposed?

A: Yes, any computer that connects to the internet is exposed to threats.  Encrypting your hard drive, using strong passwords, installing anti-malware, anti-spyware, anti-virus software, firewall etc can protect your computer and confidential data.


For more information on computer security, the Stanford Secure Computing website is a good start: http://www.stanford.edu/group/security/securecomputing/
Computer Security FAQ: http://www.stanford.edu/group/security/securecomputing/faq.html
Computer security myths: http://www.stanford.edu/group/security/securecomputing/securitymyths.html

 

Students

Q: What is available to me?

A: http://softwarelicensingstore.stanford.edu provides links under "Personal Purchase Software" that provides ONE copy of Windows 7, among other software.

 

Contact

Q: I have more questions.  Who do I contact?

A: Please send an email to soeithelp@stanford.edu or review our knowledgebase at http://soeithelp.stanford.edu

 

 

Have more questions? Submit a request

Comments