1604 Data Classification Policy
Policy Sections
1604.2 Minimum Security Standards
1604.3 Responsibilities of All Data Users
1604.4 Enforcement and Discipline
Scope
This policy applies to all Yale Data (as defined below) and all Yale faculty members, students, staff members, trainees, volunteers, agents, contractors, and any person to whom Yale has provided a network access identity.
Policy Statement
Yale seeks to maintain its Data in a manner that achieves the following goals:
- Confidentiality: Confidentiality requires that Data be kept secure and protected from disclosure to and access by unauthorized persons.
- Integrity: Integrity requires keeping Data secure, protecting their authenticity, protecting them from improper modification or destruction, and preserving the ability to prove that a given individual created given Data.
- Availability: Availability requires ensuring timely and reliable access to Data.
This Policy establishes a system for classifying Data according to their sensitivity and their importance to the functioning of the University, and it imposes two over-arching requirements: First, the Information Security Office (“ISO”) must devise Minimum Security Standards (“MSS”) for each class of Data and help members of the Yale community implement those or higher standards. Second, members of the Yale community entrusted with Yale Data must understand and apply the Minimum Security Standards (“MSS”) and be alert to circumstances in which additional security measures might be warranted.
Reason for the Policy
This Policy and related policies and procedures are intended to ensure that members of the Yale community give proper consideration to the sensitivity and institutional importance of the Data that they create, store, and transmit, so that Yale is better able to protect the confidentiality, integrity, and availability of its Data and ensure compliance with the law.
Definitions
Data Users
Yale faculty members, students, staff members, trainees, volunteers, agents, contractors, and any person to whom Yale has provided a network access identity.
Data
Information gathered and preserved for reference or analysis. Data include information used in teaching, research, and administration, and they may be preserved in any medium, including, but not limited to, electronic files, paper documents, or film. Data include originals, as well as all backup and duplicate copies.
Yale Data
Yale Data are (i) Data created or received by Data Users while acting on behalf of Yale, or (ii) Data created or received by Yale students or trainees while providing a service to Yale or to others as part of their education or training. Yale Data do not include intellectual property which by law or by Yale’s copyright or other policies is owned, licensed, or otherwise legally controlled by a Data User.
Policy Sections
Data Classifications: Yale has created a classification system that divides Yale Data into three types, depending on their importance, sensitivity, and potential for misuse:
A. High Risk Data: Yale Data are classified as High Risk if (i) they could be exploited for criminal or other wrongful purposes and Yale is obligated by statute or regulation to keep them confidential; (ii) Yale is contractually obligated to keep them confidential; (iii) they identify an individual and would customarily be shared only with the individual’s family, doctor, lawyer, or accountant; or (iv) they are critical to Yale’s ability to perform one of its essential academic, health care, or business functions and cannot be replaced easily with backup copies.
Examples:
- Personally identifiable patient and human subject information;
- Social Security, driver’s license, state identification card, and passport numbers;
- Credit card and bank account numbers;
- Export controlled information under U.S. laws;
- Confidential information about Yale donors;
- Databases used for payroll, tax, health care, and other critical functions;
- Information or systems related to health, life, or safety;
- Information pertaining to animal research protocols and researchers;
- A user name (e.g., Yale NetID) or email address in combination with a password or security question and answer that would permit access to an online account.
B. Moderate Risk Data: Yale Data are classified as Moderate Risk if they are not High Risk and (i) they are not available to the public; or (ii) the loss of their confidentiality, integrity, or availability could cause limited harm to Yale’s mission, safety, finances, or reputation.
Note: If any Data in a dataset or file contain Data attributes or combinations of attributes that are defined as High Risk, the dataset must be treated as High Risk.
Examples:
- Non-public, University-owned research Data not considered High Risk;
- Student and applicant Data;
- Employment applications and personnel files;
- Non-public contracts;
- Internal memos and email, non-public reports, budgets, plans, and financial information;
- Engineering, design, and operational information regarding Yale infrastructure.
C. Low Risk Data: Yale Data are classified as Low Risk if they are not Moderate or High Risk and (i) Yale chooses or is required to disclose them to the public, or (ii) the loss of their confidentiality, integrity, or availability would cause no harm to Yale’s mission, safety, finances, or reputation.
Examples:
- Information that Yale has made available to the public on its website;
- Policy and procedure manuals designated by Yale as public;
- Job postings;
- Yale directory information not designated by the individual as “private”;
- Information in the public domain;
- Publicly available campus maps;
- Research Data (barring any publication restrictions and at Data owner’s discretion).
For each of the three Data Classifications enumerated in 1604.1, the University has established Minimum Security Standards (“MSS”) that must be applied.
The minimum standards for each Data Classification can be found here: Minimum Security Standards (“MSS”).
Data Users, in consultation, if necessary, with their supervisors, must (i) understand Yale’s Data classifications; (ii) consider how these classifications apply to the Yale Data under their control; (iii) implement the Minimum Security Standards (“MSS”) for each classification, with the assistance, if necessary, of Information Security Policy and Compliance (“ISPC”); and (iv) consult with ISO regarding circumstances that may warrant the application of higher security standards.
In case of an alleged or suspected violation of this Policy, Yale reserves the right to examine Yale Data and Yale computer systems in accordance with the Information Technology Appropriate Use Policy or other applicable policies. By creating or receiving Yale Data on computer systems that are not owned by Yale (including personally owned devices), Data Users acknowledge Yale’s right to examine those systems.
Alleged violations of this Policy by faculty or staff members will be pursued in accordance with the appropriate disciplinary procedures, as outlined in the Faculty Handbook, the Staff Workplace Policies, , and other applicable materials, and discipline may be imposed, up to and including termination. Staff members who are members of University-recognized bargaining units may be disciplined for violations of this Policy, up to and including termination, in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units. Alleged violations of this Policy by students or trainees will be pursued in accordance with the appropriate disciplinary procedures of their schools or programs, and discipline may be imposed, up to and including withdrawal from the University.
Special Situations / Exceptions
Exceptions to this Policy must be approved by the Chief Information Security Officer, or designee. To request an exception, visit the Yale Information Security Requests page.
Roles & Responsibilities
Information Security Office (“ISO”)
The Information Security Office (“ISO”) is responsible for (i) developing Minimum Security Standards (MSS) for each Data classification; (ii) helping Data Users to understand and comply with the minimum standards and respond to circumstances in which higher standards may be required; and (iii) working with the responsible administrators to enforce the appropriate standards.