January 17, 2018
The following policy documents have been approved and are now posted on the Policies & Procedures Website. These policy documents are in effect as of their listed “Revision Date.” The review process included discussions with the process owners and end users to incorporate their suggestions into these documents, as well as a 30-day draft period for comments from the community.
The following documents are new and available for review:
1604 Data Classification Policy
1604 PR.01 Data Classification Procedure
The following documents have been revised and are available for review:
1000 Development, Revision, and Posting of University Policies, Procedures, and Forms
1000 PR.01 Creating and Revising University Policies, Procedures, and Forms
1000 FR.01 Policy Proposal
Highlights are below:
Policy 1604 Data Classification
Not all cybersecurity risks are equal. Areas of greater risk require more protection and oversight, whereas it is reasonable to require less protection for areas of lower risk. Such a stratification by risk tier allows for a more efficient use of limited resources to safeguard sensitive data and critical IT infrastructure.
To begin incorporating the above concept into Yale’s information security posture, Yale Policy 1604 defines three data classification tiers, ranked by risk to the University: High, Moderate, and Low.
- “High” includes data requiring the most protection such as data covered by Federal, State, or other compliance regulations or contractual obligations.
- “Moderate” includes data which is not public and requires protective measures, but the level of risk does not justify the level of protection afforded to data in the High tier.
- “Low” includes public data which should be available and accurate but does not require stringent data protection.
Each data classification tier includes a minimum security standard for that tier. The minimum security standard outlines the minimum protective measures appropriate for data in that tier, addressing confidentiality, integrity, and availability requirements. The minimum security standards for the three tiers will evolve along with the changing cybersecurity threat landscape. Included is also a list of pre-packaged on-premise and cloud IT services which meet the minimum security requirements for one or more classification tiers.
Policy 1000 Drafting, Revising, and Posting University Policies, Procedures, and Forms
This policy has been updated from its previous version (formerly Policy 1503 Development or Revision and Posting of University Policies, Procedures and Forms) to foster a uniform and predictable process that maximizes stakeholder input and community accessibility. Key updates include the following:
- the development process includes a new, standard form for proposing policies (Form 1000 FR.01 Policy Proposal);
- the process includes a detailed outline of the drafting and review phases of policy development;
- the policy establishes procedures for policy review by the business operations community (in the form of the Operating Group), the formal Policy Review Committee (as defined in the policy), and the community at large;
- the policy establishes a five-year review cycle to ensure that University policies are current and accurate;
- new documents related to the policy are: 1) Procedure 1000 PR.01 Creating and Revising University Policies, Procedures, and Forms; and 2) Form 1000 FR.01 Policy Proposal.
Always check the Policy website for the latest revisions of all documents. This will ensure you that are utilizing the most up-to-date version.