1610 Systems and Network Security
This policy establishes IT security requirements for faculty, students, staff, and other individuals who use computing or communications Systems during the course of their work at Yale University. This includes Systems use on-campus as well as from remote locations, such as home, hotels and other off-campus locations.
The mandatory IT security requirements for faculty, students, staff, trainees, and others in Yale’s HIPAA Covered Components are described in HIPAA Security Policy 5100. This Policy 1610 and related procedures do not apply to these individuals. Instead, all faculty, students, staff, trainees, and others in Yale’s HIPAA Covered Components must refer to HIPAA Security Policy 5100 for more information.
This policy defines University standards for managing computing and communications Systems and access to Yale University’s data network and electronic data resources. All Confidential Information including electronically stored information must be protected in a manor commensurate with its sensitivity, value and criticality; this includes protecting computing and communications Systems containing that data accordingly. Safeguards regarding confidentiality and privacy of Yale information apply equally at on-campus locations and at any remote location. Procedures associated with this policy establish currently appropriate required and best practices for managing computing and communications Systems and network access.
The University may, at any time, change any or all of the conditions under which any individual is granted computing or communications Systems or data network access privileges and may terminate such privileges at any time.
Reason for the Policy
Sound business practice as well as compliance with regulations requires appropriately protecting the confidentiality, integrity and availability of Yale electronic information. The efficiency of conducting Yale business depends on minimizing the impact of information security vulnerabilities.
Data Network Access is the use of a communication System to communicate or exchange data among two or more Systems by any means including both wired and wireless network access.
Deprecated and Unsupported Operating Systems – are operating systems where the vendor or manufacturer no longer provides technical support, security patches, or system upgrades and where the support has not been offered for 1 or more years. A list of these operating systems will be kept on the ITS website: [List of Deprecated and Unsupported Operating Systems: Windows by major OS version and patch level; Mac by OS version; Linux and Unix by kernel version and build number; Mobile OS by OS type and major version number. Instructions will need to be provided for finding this information on each OS.]
Remote Access is any access to a device on the Yale University data network through a non-Yale controlled network, device, or medium, for example by DSL, cable modem or dial-up connection.
Any individual who uses a computing or communications System to create, access, transmit or receive Yale related information is responsible for protecting that information in a manner commensurate with its sensitivity, value, and criticality. Appropriate procedures regarding confidentiality and privacy of information are to be followed at all times regardless of location on or off-campus. Appropriate procedures are detailed in the Systems Security procedure referenced below under Procedures.
Damage to, loss, or unauthorized disclosure of any Yale University physical or information assets must be promptly reported to the employee’s immediate supervisor and the cognizant administrative head. Any incident where sensitive data is thought to have been compromised must be reported to the ISO.
Individuals who are granted access to Yale’s Systems including the data network, whether from on-campus or via Remote Access, are responsible for protecting against the loss, damage or compromise of Yale University physical and electronic information assets.
Individuals not associated with the University (vendors/contractors, research collaborators) with remote access privileges must utilize a secure access method. Non-Yale vendors/contractors with Data Network Access privileges must utilize a secure method for access that provides equivalent or better security as that of a University Virtual Private Network connection, and be able to provide documentation of those methods.
Access to University data, information and systems that is not intended for unrestricted public access requires authentication.
CAS with multi-factor authentication (CAS+MFA) is the University’s preferred authentication method. For authentication to desktop environments (desktops, laptops and workstations), Microsoft Active Directory authentication with multi-factor authentication (AD+MFA) is the University’s preferred interactive logon method. In applications, services and system integrations where CAS is unavailable or is not an appropriate authentication method, at a minimum, the selected alternate authentication method must meet the security standards outlined for CAS in Procedure 1601 PR.02 [should be renumbered to 1610 PR.X].
Standards for creating and maintaining University identity accounts used in access control can be found in the following document:
- Procedure 1601 PR.08, Sponsored Identity Access
Multi-factor authentication (MFA) is required when accessing University systems that require authentication and where it is technically feasible to integrate the systems with Yale’s multi-factor authentication service provider(s).
- MFA is required for all cloud service administration.
- MFA is required for all server administration
- MFA is required for all network infrastructure administration
- MFA is required for all Database administration
- MFA is required for all IAM/IDM administration (e.g. user account and group administration)
- MFA is required login into all information security computers (network security appliances, SaaS security services, etc.)
Devices running deprecated and unsupported operating systems will be denied access to the Yale network or Internet.
IT support for these devices will not be provided absent an Office of Information Security, Policy and Compliance (OISPC) exception.
Alleged violations of this Policy will be pursued in accordance with the appropriate disciplinary procedures, as outlined in the Faculty Handbook and the Staff Personnel Policies and Practices Manual, and other applicable materials. Staff members who are members of University-recognized bargaining units will be disciplined for violations of this Policy in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units.
Roles and Responsibilities
Office of the Provost
Responsible for University compliance issues including HIPAA
Office of General Counsel
Interprets HIPAA regulations; reviews and approves all HIPAA related contracts including contracts with Business Associates or for research contracts
Chief Information Officer
Individual responsible for planning, development, evaluation, and coordination of University information and technology systems
University Information Security Officer
Individual responsible for overseeing information security and ensuring compliance with security requirements of HIPAA
· Deputy Privacy Officer, Department of Psychology Clinics
Identifies Business Associates and ensures appropriate contracts in place
Grants & Contracts Administration
Responsible for negotiating data use agreements and research related contracts.
Institutional Review Boards (HIC, HSC, HSRRC)
Responsible for review and approval of waivers of authorization for research purposes.
Please also refer to the comprehensive summary of HIPAA Security Roles and Responsibilities provided within Policy 5100 Electronic Protected Health Information Security Compliance.