Skip to content

Risk Classification

Whenever you need to deploy documentation, a tool, or a site, you need to consider the Stanford Security Standards and ensure that your application, tool, or resource meets all requirements.

Stanford Minimum Security Requirements

We take security very seriously at Stanford. You should not deploy an application that you are unsure about the risk level. Low and medium risk must comply with Stanford Security Standards. High risk data must always be approved in advance. Read the sections below for more details.

Low or Moderate Risk

For the low or moderate risk levels, if you are deploying something on your own you don’t need strict approval, although we do suggest recruiting multipe parties to look over the deployment to be extra sure that you’ve categorized it correctly and not missed any detail. However you do need to ensure that:

These rules apply to anyone at Stanford who is deploying local or cloud infrastructure. Whether you are faculty, staff, or student, the rules apply for you.

High Risk

For high risk data, you are not allowed to deploy resources, services, or any kind of infrastructure on your own. These projects that use high risk data or resources have a formal ISO and Privacy review that must be completed. Please submit a help request to ISO if you have any inquiries, or ask us at RSE Services.