[liberationtech] Next Phase of Stanford's Encryption Initiative

Yosem Companys companys at stanford.edu
Fri Oct 16 17:15:11 PDT 2015 

Dear Colleagues,

As you are all aware, information security remains a shared concern and
plays an important part in protecting university assets and personal
privacy.  To strengthen this protection, in January 2014 the university
established a requirement to verifiably encrypt all employee Windows and
Macintosh laptops/desktops used on the campus network by May 31, 2015 (with
limited exceptions for special research equipment).  More than 24,000 of
these computers are now encrypted, and I deeply appreciate your
participation in this effort.

The theft and loss of devices has been (and will continue to be) a common
occurrence, and if these devices are not encrypted, the consequences to the
university can be highly time consuming and expensive.  Fortunately, modern
encryption technology provides robust protection for both Stanford data and
personal information, with virtually no downside.


WHAT'S NEW?

We are now entering the next phase of the encryption initiative where we
are: 1) requiring verifiable encryption of Apple and Android mobile devices
that are used by employees on the campus network; and 2) restricting access
to the campus network from unencrypted laptops, desktops, and mobile
devices that are subject to the requirements.  This phase will be rolled
out over the next few months.  With more than 12,000 employee mobile
devices already verifiably encrypted using AirWatch (Stanford's mobile
device security solution), we are well on the way to completion on the
mobile front.


WHAT SHOULD I DO FIRST?

As an important first step, please visit our new "My Devices" website (
mydevices.stanford.edu) to see a list of the computers that Stanford's
records indicate are currently associated with you, along with their
compliance statuses.  If you see a device that is no longer in use or no
longer associated with you, simply click the "Remove" button.  You can find
more information about each device by clicking on the link in the Model
column.


WHAT HAPPENS NEXT?

On October 20, we will begin a rolling deployment of the mobile device
encryption requirement and the unencrypted laptop/desktop/mobile device
network restrictions, progressively including all employees over several
months.  When your time comes, we will notify you by email, and you will
have a 30-day grace period to encrypt any non-compliant devices.  A 30-day
grace period also applies to any new devices as well as those that fall out
of compliance.  We will send you weekly reminders listing these
non-compliant devices and the remaining grace period days for each.  The
emails will refer you to My Devices and our Encryption website (
encrypt.stanford.edu) for instructions explaining what to do and how to get
help if needed.


WHAT'S NOT NEW?

Visitors to Stanford and employees with personal devices not used for
Stanford business can use the guest wireless network without having to meet
the encryption requirements.  Meanwhile, the long-standing University
policy to verifiably encrypt all devices storing HIPAA and other High Risk
data (dataclass.stanford.edu), regardless of ownership or where they are
used, remains unchanged.  In special cases where specific research
computing systems cannot be encrypted and no High Risk data is involved,
exceptions can be requested.

The tools provided to assist you in the encryption process and subsequently
periodically verify the compliance status of your devices have long been in
use at Stanford, and we are committed to full transparency regarding the
operation of these systems.  VLRE, one of the newer tools developed
in-house, is an encryption verification option for laptops and desktops
where High Risk data is not involved.  To validate its functionality, the
source code was reviewed by Stanford's Computer Science department.  You
can find information about what data is collected by SWDE/BigFix at
https://itservices.stanford.edu/service/bigfix/retrieved_properties, VLRE
at https://itservices.stanford.edu/service/vlre/privacy, and AirWatch at
https://itservices.stanford.edu/service/mobiledevice/management/privacy.
We specifically do not collect user content (email, calendar events,
contacts, instant messages, personal files, etc), passwords, or GPS
location information from devices using these tools.


WHERE CAN I FIND MORE INFORMATION?

Your starting point for information security is security.stanford.edu,
where you can quickly find links to the My Devices and Encryption websites
along with a copy of this memo.


Thank you for supporting this important privacy and security initiative.

Sincerely,

Randy Livingston
VP of Business Affairs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20151016/ffe3ce0e/attachment.html>

More information about the liberationtech mailing list