1610 Systems and Network Security

Policy Sections

1610.1 Use and Configuration of Systems Using the Yale University Network

1610.2 Access Control

1610.3 Policy Violations

This policy establishes Information Technology (“IT”) security requirements for faculty, students, staff, trainees, and other individuals (“Yale Community”) who use computing or communications systems (“systems”) to conduct Yale University business.  This includes systems used on-campus as well as from remote locations such as home, hotels, and other off-campus locations that access the Yale network through a Virtual Private Network (“VPN”).

This policy defines University standards for managing systems as well as access to Yale University’s data network and electronic data resources.  All confidential information, including electronically stored information, must be protected in a manner commensurate with its sensitivity, value, and criticality. (For additional guidance on how the University classifies data, please refer to Policy 1604 Data Classification Policy.)  Managing network security also includes protecting systems containing that data accordingly. Safeguards regarding confidentiality and privacy of Yale information apply equally to on-campus locations and any remote location. 

Related Procedure 1610 PR.01 Disposal of Obsolete Computers and Peripherals, establishes required and best practices for properly disposing of obsolete devices.

The University may, at any time, change any or all the conditions under which any individual is granted systems or data network access privileges and may terminate such privileges at any time.

Sound business practice as well as compliance with regulations, requires appropriately protecting the confidentiality, integrity, and availability of Yale electronic information.  The efficiency of conducting Yale business depends on minimizing the impact of information security vulnerabilities.

Any device that connects to the Yale University Network must apply the Network Terms of Service (“NTOS”). This is any device, independent of their location or ownership, including but not limited to:

• Personally owned devices, such as:
  • Computers (e.g., laptops, desktops); and
  • Mobile devices (e.g., smartphones and tablets)
• Any addition to the network infrastructure.

Certain devices are not permitted on the Yale University Network, including, but not limited to:

• Dynamic Host Configuration Protocol (“DHCP”) servers;
• Private Wi-fi access points; and
• Private Internet provider circuits.

Devices connecting to Yale’s guest Wi-Fi networks do not need to apply the NTOS.

In addition to everything outlined in the NTOS, use of the Yale network is governed by University Policy 1607 Information Technology Appropriate Use Policy and other applicable policies and procedures.

Requests for exceptions to the NTOS may be submitted via the Information Security exception request form.

Access to University data, information, and systems that is not intended for unrestricted public access, requires authentication.

Single Sign On (“SSO”) with multi-factor authentication (SSO+MFA) is the University’s approved authentication method. Requirements for authentication can be found in Yale’s Minimum Security Standards: Yale-MSS-9: Authentication and Authorization.

Standards for creating and maintaining University identity accounts used in access control can be found in the following documents:

• Procedure 1601 PR.02 NetIDs and Identity Management
• Procedure 1601 PR.08 Sponsored Identity Access.

1610.3 Policy Violations

Violations of this Policy will be pursued in accordance with the appropriate disciplinary procedures, as outlined in the Faculty Handbook, the Staff Personnel Policies and Practices Manual, or other applicable materials. Staff members who are part of University-recognized bargaining units, will be disciplined for violations of this Policy in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units.

The Information Security Office (“ISO”) is charged with detecting and reviewing failures to meet and maintain this policy. Corrective action may be taken up to and including blocking offending devices from the network.

Chief Information Officer

• Responsible for planning, development, evaluation, and coordination of University information and technology systems.

Chief Information Security Officer (“CISO”)

• Oversees information security and ensures compliance with security requirements of applicable regulations as well as state, federal, and international law.

Chief Privacy Officer

• Responsible for ensuring compliance with regulatory requirements related to data privacy and facilitating a culture respectful of data subjects’ rights and privacy expectations.

Institutional Review Boards (“IRB”)

• Reviews and approves waivers of authorization for research purposes.

Office of General Counsel (“OGC”)

• Interprets relevant privacy and security regulations.

Office of Sponsored Projects (“OSP”)

• Responsible for negotiating data use agreements and research related contracts.

Please also refer to the comprehensive summary of HIPAA Security Roles and Responsibilities provided within Policy 5100 Electronic Protected Health Information Security Compliance.