1610 Systems and Network Security

Responsible Official: 
Chief Information Officer
Chief Privacy Officer
Responsible Office: 
Office of the Provost
Effective Date: 
April 20, 2005
Revision Date: 
December 14, 2020

Policy Sections

1610.1 Use and Configuration of Computing or Communication Systems

1610.2 Remote Access for Individuals Not Affiliated with Yale University

1610.3 Access Control

1610.4 Multi-Factor Authentication

1610.5 Deprecated and Unsupported Operating Systems

1610.6 Policy Violations

Scope

This policy establishes IT security requirements for faculty, students, staff, trainees, and other individuals who use computing or communications Systems during their work at Yale University.  This includes Systems used on-campus as well as from remote locations, such as home, hotels and other off-campus locations.

The mandatory IT security requirements for faculty, students, staff, trainees, and others in Yale’s HIPAA Covered Components are described in HIPAA Security Policy 5100.  This Policy 1610 and related procedures do not apply to these individuals.  Instead, all faculty, students, staff, trainees, and others in Yale’s HIPAA Covered Components must refer to HIPAA Security Policy 5100 for more information.

Policy Statement

This policy defines University standards for managing computing and communications Systems and access to Yale University’s data network and electronic data resources.  All Confidential Information including electronically stored information must be protected in a manor commensurate with its sensitivity, value and criticality; this includes protecting computing and communications Systems containing that data accordingly.  Safeguards regarding confidentiality and privacy of Yale information apply equally at on-campus locations and at any remote location.  Procedures associated with this policy establish currently appropriate required and best practices for managing computing and communications Systems and network access.

The University may, at any time, change any or all of the conditions under which any individual is granted computing or communications Systems or data network access privileges and may terminate such privileges at any time.

Reason for the Policy

Sound business practice as well as compliance with regulations requires appropriately protecting the confidentiality, integrity and availability of Yale electronic information.  The efficiency of conducting Yale business depends on minimizing the impact of information security vulnerabilities.

Definitions

Data Network Access

The use of a communication System to communicate or exchange data among two or more Systems by any means including both wired and wireless network access.

Deprecated and Unsupported Operating Systems

Operating systems where the vendor or manufacturer no longer provides technical support, security patches, or system upgrades and where the support has not been offered for 1 or more years.  A list of these operating systems will be kept on the ITS website: [List of Deprecated and Unsupported Operating Systems: Windows by major OS version and patch level; Mac by OS version; Linux and Unix by kernel version and build number; Mobile OS by OS type and major version number. Instructions will need to be provided for finding this information on each OS.]

Remote Access

Any access to a device on the Yale University data network through a non-Yale controlled network, device, or medium, for example by DSL, cable modem or dial-up connection.

Policy Sections

1610.1 Use and Configuration of Computing or Communication Systems

Any individual who uses a computing or communications System to create, store, access, transmit or receive Yale related information is responsible for protecting that information in a manner commensurate with its sensitivity, value, and criticality (data classification).  Yale Data is classified as High, Moderate, or Low risk using Policy 1604 Data Classification Policy.  Yale’s Minimum Security Standards and other appropriate procedures regarding confidentiality and privacy of information are to be followed at all times regardless of location on or off-campus.  Appropriate procedures are detailed in Procedure 1610 PR.01 Systems and Network Security.

Damage to, loss, or unauthorized disclosure of any Yale University physical or information assets must be promptly reported to the employee’s immediate supervisor and the cognizant administrative head.  Any incident where sensitive data is thought to have been compromised must be reported to the University Information Security Office (“ISO”).

Individuals who are granted access to Yale’s Systems including the data network, whether from on-campus or via Remote Access, are responsible for protecting against the loss, damage or compromise of Yale University physical and electronic information assets.

1610.2 Remote Access for Individuals Not Affiliated with Yale University

Individuals not associated with the University (vendors/contractors, research collaborators) with remote access privileges must utilize a secure access method.  Non-Yale vendors/contractors with Data Network Access privileges must utilize a secure method for access that provides equivalent or better security as that of a University Virtual Private Network connection and be able to provide documentation of those methods.

1610.3 Access Control

Access to University data, information and systems that is not intended for unrestricted public access requires authentication.

CAS with multi-factor authentication (CAS+MFA) is the University’s preferred authentication method.  For authentication to desktop environments (desktops, laptops and workstations), Microsoft Active Directory authentication with multi-factor authentication (AD+MFA) is the University’s preferred interactive logon method.

Standards for creating and maintaining University identity accounts used in access control can be found in the following document:

1610.4 Multi-Factor Authentication

Multi-factor authentication (MFA) is required when accessing University systems that require authentication and where it is technically feasible to integrate the systems with Yale’s multi-factor authentication service provider(s).

  • MFA is required for all cloud service administration.
  • MFA is required for all server administration
  • MFA is required for all network infrastructure administration
  • MFA is required for all Database administration
  • MFA is required for all IAM/IDM administration (e.g. user account and group administration)
  • MFA is required login into all information security computers (network security appliances, SaaS security services, etc.).

1610.5 Deprecated and Unsupported Operating Systems

Devices running deprecated and unsupported operating systems will be denied access to the Yale network or Internet.

IT support for these devices will not be provided absent a University Information Security Office (“ISO”) exception.

1610.6 Policy Violations

Alleged violations of this Policy will be pursued in accordance with the appropriate disciplinary procedures, as outlined in the Faculty Handbook and the Staff Personnel Policies and Practices Manual, and other applicable materials.  Staff members who are members of University-recognized bargaining units will be disciplined for violations of this Policy in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units.

Roles & Responsibilities

Office of the Provost

  • Responsible for University compliance issues including HIPAA.

Office of General Counsel

  • Interprets HIPAA regulations; reviews and approves all HIPAA related contracts including contracts with Business Associates or for research contracts.

Chief Information Officer

  • Individual responsible for planning, development, evaluation, and coordination of University information and technology systems.

University Chief Information Security Officer

  • Individual responsible for overseeing information security and ensuring compliance with security requirements of HIPAA

Procurement Office

  • Identifies Business Associates and ensures appropriate contracts in place.

Office of Sponsored Projects

  • Responsible for negotiating data use agreements and research related contracts.

Institutional Review Boards (HIC, HSC, HSRRC)

  • Responsible for review and approval of waivers of authorization for research purposes.

Please also refer to the comprehensive summary of HIPAA Security Roles and Responsibilities provided within Policy 5100 Electronic Protected Health Information Security Compliance.