The Information Security Office (ISO) orchestrates efforts and provides services to protect the information assets that are important to Stanford.
In this modern age of data centricity and pervasive computing, information privacy and security are increasingly essential, yet increasingly elusive. What has become one of the greatest challenges of our time, information security is multifaceted and spans all elements of the Stanford enterprise. As such, ISO collaborates with partners throughout the university and supports more than 50 distinct services in order to maintain Stanford's comprehensive and leading cybersecurity program.
Pursuant to ISO's mission "to protect the information assets important to Stanford", information security is largely an exercise in risk management. Accordingly, ISO is deeply involved in the university's Enterprise Risk Management (ERM) effort, ensuring that Stanford’s top cybersecurity risks are identified and that mitigation plans are in place.
The Information Security Office dual reports into UIT and the Office of the Chief Risk Officer (OCRO). This structure enables ISO to work closely with IT while maintaining a strong connection with Privacy, Internal Audit, Enterprise Risk Management, Risk Management (insurance), and Ethics and Compliance.
Cybersecurity Governance, Risk and Compliance (GRC)
The Cybersecurity Governance, Risk and Compliance (GRC) team spearheads policy and procedure development in the university’s information security space. They provide oversight to security risk and compliance services, including Stanford’s Minimum Security Standards, General Data Protection Regulations (GDPR), Payment Card Industry Data Security Standard (PCI-DSS), and enterprise assessments and reviews. They also manage ISO’s education, awareness, and outreach programs, including Stanford Information Security Academy (SISA), Cybersecurity & Privacy Festivals, Phishing Awareness, and much more.
Cloud Security and Vulnerability Management (Cloud Sec)
The Cloud Security and Vulnerability Management (CloudSec) team leads the university's efforts to safeguard its cloud-based assets (IaaS, Paas, and SaaS). The team focuses on establishing a pragmatic cloud security strategy that centers on addressing current and emerging cybersecurity threats that can disrupt or harm our efforts to securely use the public cloud. Additionally, the team oversees vulnerability management, including the vulnerability disclosure program, Bug Bounty, and threat remediation.
In the near future, CloudSec will support identity access management, endpoint security, email security, and file storage security services.
Cybersecurity Engineering and Operations (SecOps)
This Cybersecurity Engineering and Operations team deploys security technologies and operates critical security systems. Their work includes custom development, detection engineering, process automation, technical consulting, alert triage, data engineering, technical investigation, threat intelligence, and much more.
School of Medicine IRT Security
Dual reporting into ISO and Stanford Health Care's Technology & Digital Solutions (TDS), the School of Medicine's security team provides specialized tools for SoM (e.g., AMIE and SUSI), firewall rule management, network anomaly monitoring, encrypted flash drives, annual onboarding for high risk communities (hospital residents and Med School trainees), and coordination for security activities with Stanford Medicine (SoM, SHC, and SCH).