Best Practices

  1. Remain Current with Cybersecurity Practices
  2. Install Anti-virus Software
  3. Update and Patch Operating System
  4. Know Your Data’s Risk Level
  5. System Authentication and Security
    • Use strong passwords
    • Social Security numbers must not be used as a primary or secondary identifiers
    • Restrict user permissions
    • Lock workstations or use password protected screen savers when users are away
    • For secure remote access to university computer systems from off-campus, use Virtual Private Networking (VPN)
  6. Data Backup Options
  7. Data Encryption
  8. Conduct a Data Risk Assessment (DRA)

Ensure all systems and services that process high risk data follow the Stanford Minimum Security Standards found at and follow Privacy best practices that have been articulated (in draft format) at

Data Risk Assessment

The DRA process should first start with the pre-screening form (step 1 at If the pre-screen says that no DRA is required, any staff can still request a consultation from either the Privacy Office of Information Security Office directly. ( or For high risk data, if there are no non-Stanford processors of the data, then if the platform is listed as approved for high risk data at the following website then generally a DRA is not required.