Risk Classes & Security Standards
A new set of security classifications has been established and is now in effect for Stanford data and systems: Low Risk, Moderate Risk, and High Risk. The former framework - Prohibited, Restricted, Confidential, and Unrestricted - will be phased out by January 2016. The new classifications are simple, intuitive, focused on risk management, and aligned with federal security standards. Going forward, please use the new Low/Moderate/High Risk designations described at dataclass.stanford.edu.
Along with the new classifications, we are introducing a “top 10 list” style of minimum security standards for all university endpoints, servers, and applications. These were developed with input from faculty, researchers, and IT staff throughout campus and were specifically selected to be prescriptive, effective, and practical. The standards are tiered by the new Low/Moderate/High Risk levels and are enabled by the many new information security tools, services, and practices established over the last 18 months. We encourage you to begin adopting these standards, prioritizing your systems by risk level. As cybersecurity is a rapidly evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly. In time, these standards will become requirements codified in the Administrative Guide.
More information about the minimum security standards can be found at minsec.stanford.edu.