- Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but used to access a High Risk application is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard SaaS and PaaS.
Standards | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|
Product Selection | Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Pre-implementation Planning | Follow the SaaS Considerations checklist. Follow the PaaS Considerations checklist. Follow the Security When Using a Cloud Product guidelines. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Inventory and Asset Classification | Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification, data volume estimates, and service ownership. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Credential and Key Management |
| Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Encryption |
| Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Two-Step Authentication | If user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution. | Required for Moderate Risk Data | Required for High Risk Data | |
Logging and Auditing |
| Required for Moderate Risk Data | Required for High Risk Data | |
Data Management | Contractually ensure that Stanford data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations. | Required for Moderate Risk Data | Required for High Risk Data | |
Secure Admin Workstation | Administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access. Administrative accounts are defined as:
| Required for High Risk Data | ||
Security, Privacy and Legal Review | Follow the Data Risk Assessment process and implement recommendations prior to deployment. | Required for High Risk Data | ||
Regulated Data Security Controls |
| Required for High Risk Data |