Campus-wide Cybersecurity Initiative

April 30 marks the conclusion of a year long, campus-wide initiative to better secure the university’s High Risk Systems and Data. The initiative focused on strengthening authentication mechanisms for our third party vendors and gaining adoption of the Minimum Security Standards across all university-operated High Risk systems.

The year began with a collaborative effort to build an inventory of all High Risk systems currently in use — an investment that will pay ongoing dividends. This year’s initiative focused on the university’s internal IT operations, in contrast to previous years when the focus was on end user devices.

IT teams throughout campus have worked diligently to improve the security posture of the systems they manage, prioritizing the High Risk ones.

“Cybersecurity is a continuous effort, and we recognize and appreciate the extra efforts made by our IT partners throughout campus this past year,” said Michael Tran Duff, Stanford’s Chief Information Security Officer.

In support of Minimum Security Standards adoption

Stanford’s Minimum Security Standards (MinSec) is a tiered set of standards for protecting Stanford’s Low, Moderate, and High Risk systems and data. To facilitate MinSec adoption, UIT implemented several enhancements, upgrades, and new offerings to support campus IT groups in these efforts. These include:

Yubikeys: Most users at Stanford are prompted for two-step authentication a few times per month. In contrast, our system administrators may be prompted numerous times per day as they log into multiple servers. To ease this burden, UIT has added Yubikey support and is now providing Yubikeys free of charge to system administrators upon request. Yubikeys are USB devices that directly enter a two-step code with the touch of your finger. To request a YubiKey, email ISO.

Approved Services: The Approved Services list, which indicates the classifications of data that are permitted on commonly used Stanford IT services, was updated to reflect changes over the past year. UIT provides laminated cards showing the university’s Risk Classifications and Approved Services, and broad distribution to Stanford personnel is encouraged. To request a set of cards, email ISO.

Stanford Information Security Academy: UIT will expand the Stanford Information Security Academy (SISA) offerings for those who have completed the first level course. Course dates for the remainder of 2017 are currently being scheduled and will be updated on the SISA website.

Looking ahead

In the year ahead, while continuing to promote and support MinSec adoption across all Stanford systems, the Information Security Office will be turning their focus to improving user experience and expanding our intrusion detection capabilities.