Skip to content Skip to site navigation Skip to service navigation

Securing Your Service

What does it mean to secure my service?

Securing your service means taking all reasonable actions necessary to ensure that your service and its underlying technology are secure and compliant throughout the service lifecycle.

Why do I need to secure my service?

Stanford University guidelines clearly state that data security is the responsibility of every Stanford employee. Staff with service roles, such as Service Owners, Service Managers, and Technical Operations Owners, have an additional level of responsibility to ensure that the services we provide to our clients are securely architected and managed throughout their lifecycle. By securing a service, we can prevent or mitigate data breaches that can have serious negative consequences, including consequences to our reputation and to the trust clients have placed in us. In addition, if a breach is found to have occurred through negligence, significant fines may apply and staff may be terminated for negligence.

How do I secure my service?

Identifying the Data Risk Classification of the data that will transit or be stored in your service is foundational to the service development, and impacts how you design the service and architect its underlying technology. This includes both services that are built and maintained on-premise by University IT technical staff, and brokered cloud services.

If your service supports data that is classified as Moderate or High Risk, complete the Data Risk Assessment (DRA) as early in the service development phase as possible. Do not wait until you are ready to launch your service, because you may be required to modify some aspect of the service or technology, causing delays and increased costs. For more information about DRAs and to launch the DRA tool, visit

Securing your cloud service

In addition to selecting a cloud vendor whose service best fits your business requirements, the cloud service must also support the security of your data. As with an on-premise service, identify the data type that will either transit or be stored in the cloud service. This will inform the next steps. If your data may or does include Protected Health Information (PHI), you will also be required to work with vendor management to establish a Business Associate Agreement (BAA).

I want to: Here’s how: When: Who is responsible?
Identify the risk classification of my data Stanford Data Risk Classifications When gathering business requirements Service Owner
Complete a Data Risk Assessment (DRA) As soon as you get the approval for the project/service development Service Owner
Service Manager
Ensure Minimum Security compliance of the service technology Minimum Security Standards As soon as the vendor is selected Service Manager
Operations Owner

Learn more about securing your service

Last modified May 14, 2024