University IT
Admin Guide Chapter 6 & IT Security Standards Updates
Overview
The Information Security Office (ISO) is updating Chapter 6 of the Stanford Administrative Guide to create a consolidated policy framework that establishes clear definitions, promotes uniform standards, and strengthens Stanford's overall security posture.
The current security content within the Admin Guide is outdated, fragmented, and inconsistent across schools and departments, failing to reflect modern practices, emerging threats, and the latest technologies. Terms, such as standards, policies, procedures, and guidelines, are often used interchangeably, adding to confusion and risk. These gaps increase the potential for data breaches, legal liabilities, and reputational harm.
The revised Admin Guide will provide a comprehensive, cohesive approach to information security, safeguarding university data assets and promoting a culture of security awareness and compliance.
Goals:
Update out-of-date or non-existent policies
- Establish clear security standards across campus
- Introduce policies, standards, guidelines, & procedures
- Align with industry standards & ensure regulatory compliance
New structure and process
Policies
High-level statements of intent. Sets organizational direction. (Mandatory)
Standards
Specific, measurable rules for consistency. Supports policy. Provides uniform benchmarks. (Mandatory)
Procedures
Explanations on how to follow standards and guidelines. (Mandatory)
Guidelines
Recommended practices. Offers flexibility and best practices. (Not Mandatory)
Learn more about security policies, standards, and guidelines
Timeline for updates
- Oct 2025
Phase 1: Assessment & Planning
- Conduct a thorough assessment
- Engage stakeholders
- July 2026
Phase 2: Development & Feedback Gathering
- Draft/update Admin Guide & Standards
- Solicit feedback
- Dec 2026
Phase 3: Communication & Education
- Develop a communication plan
- Implement an education program
- April 2028
Phase 4: Implementation
- Roll out the updated Admin Guide & Standards
- Provide support resources
- May 2028-ongoing
Phase 5: Monitoring & Continuous Improvement
- Establish routine audits
- Gather continuous feedback
Approach
| APPROACH | DURATION |
|---|---|
| Draft initial proposed updates (ISO and/or partners). | 1 week for each policy or standard |
| Gather feedback from identified stakeholders and appropriate groups. | 3-4 weeks for each policy or standard |
| Modify policies and standards based on feedback. | 1-2 weeks for each policy or standard |
| Receive sign-offs and approvals from the appropriate persons/groups. | 1-2 weeks for each policy or standard |
Current work in progress
Admin Guide
- Privacy and Information Security
- Information Security Incident Response
- Data Retention & Disposition (NEW by UPO)
- Digital Accessibility (DONE by SODA)
- Responsible Use of IT Resources
- IT Services
- Administrative Computing Systems
- Cloud Computing (NEW)
- Mobile Device Services
- Telecommunication Services
Security Standards
- Identity & User Credentials
- Application Development
- Authentication & Access Control Payment
- Card Industry Security
- Minimum Security
- Vulnerability Management
- Stanford Computer Security
- IT Logging and Management
- Stanford Password
- Security Awareness Training
- Third Party Tools
- IT Security Incident Response
- Data Disposition - Removal and Sanitization
- Data Retention
Compliance-Related Standards
- PCI-DSS
- HIPAA
- NIST 800-171
Research Policy Handbook
Updating 1.10: Information Security page
| Standard/Policy | Type | Review Status | Start Date | End Date |
|---|---|---|---|---|
| 6.1.2 Stanford Password | Standard | Completed | 2/14/2025 | 3/4/2025 |
| 6.1.2 Identity, User Credentials, and Authentication | Standard | Completed | 9/8/2025 | 9/26/2025 |
| 6.1.2 IT Logging and Management | Standard | Completed | 9/8/2025 | 9/26/2025 |
| 6.1.2 Minimum Security | Standard | In Progress | 10/23/2025 | 11/10/2025 |
| 6.1.2 Vulnerability Management | Standard | Not started | 10/27/2025 | 11/14/2025 |
| 6.1.2 Access Control | Standard | Not started | 11/3/2025 | 11/21/2025 |
| 6.1.2 Security Awareness Training | Standard | Not started | 11/20/2025 | 12/8/2025 |
| 6.1.2 Bring Your Own Device Security | Standard | Not started | 1/19/2026 | 2/6/2026 |
| 6.1.2 Application Development | Standard | Not started | 2/2/2026 | 2/20/2026 |
| 6.1.2 Third Party Tools | Standard | Not started | 3/2/2026 | 3/20/2026 |
Working together
Partner with us
To strengthen Stanford's security posture through this multi-year effort, we need your partnership. Within the next year, you may receive an invite to review draft materials.
We also welcome volunteers. If you see an opportunity to contribute, please let us know. We value your expertise and know it will help shape the final output.
ISO contacts
If you have questions or feedback, please reach out to Shawn Kim (shawnkim@stanford.edu) or Annie Stevens (ays@stanford.edu) from the university's Information Security Office to assist.
