What does it mean to secure my service?
Securing your service means taking all reasonable actions necessary to ensure that your service and its underlying technology are secure and compliant throughout the service lifecycle.
Why do I need to secure my service?
Stanford University guidelines clearly state that data security is the responsibility of every Stanford employee. Staff with service roles, such as Service Owners, Service Managers, and Technical Operations Owners, have an additional level of responsibility to ensure that the services we provide to our clients are securely architected and managed throughout their lifecycle. By securing a service, we can prevent or mitigate data breaches that can have serious negative consequences, including consequences to our reputation and to the trust clients have placed in us. In addition, if a breach is found to have occurred through negligence, significant fines may apply and staff may be terminated for negligence.
How do I secure my service?
Identifying the Data Risk Classification of the data that will transit or be stored in your service is foundational to the service development, and impacts how you design the service and architect its underlying technology. This includes both services that are built and maintained on-premise by University IT technical staff, and brokered cloud services.
If your service supports data that is classified as High Risk, complete the Data Risk Assessment Pre-Screening Form as early in the service development phase as possible. Do not wait until you are ready to launch your service, because you may be required to modify some aspect of the service or technology, causing delays and increased costs. The DRA Pre-screening Assessment results will tell you whether you need to complete a Data Risk Assessment (DRA) and provide instructions on how to complete it. The DRA FAQ page contains more information on this process.
Securing your cloud service
In addition to selecting a cloud vendor whose service best fits your business requirements, the cloud service must also support the security of your data. As with an on-premise service, identify the data type that will either transit or be stored in the cloud service. This will inform the next steps. If your data may or does include Protected Health Information (PHI), you will also be required to work with vendor management to establish a Business Associate Agreement (BAA).
|I want to:||Here’s how:||When:||Who is responsible?|
|Identify the risk classification of my data||Stanford Data Risk Classifications||When gathering business requirements||Service Owner|
|Complete a Data Risk Pre-screening Assessment||Data Risk Assessment Pre-screening Form||As soon as you get the approval for the project/service development||Service Owner
|Complete a Data Risk Assessment intake form if required||DRA Intake Form||If notified by the DRA Pre-screening that a DRA is required||Service Owner
|Ensure Minimum Security compliance of the service technology||Minimum Security Standards||As soon as the vendor is selected||Service Manager