1604 PR.01 Data Classification Procedure
Yale University requires all University Data Users who have access to and responsibilities for Yale Data to manage them according to the rules regarding storage, disclosure, access, classification, and minimum privacy and security standards, as set forth in Policy 1604 Data Classification Policy. The University seeks to preserve and dispose of its data in a manner that achieves the goals of confidentiality, integrity, and availability. This procedure addresses the proper practices for Data Users and the security of data under their control.
Yale has created a classification system that divides Yale Data into three types, depending on their importance, sensitivity, and potential for misuse. Refer to Policy 1604 Data Classification Policy for definitions and examples of High Risk Data, Moderate Risk Data, and Low Risk Data.
All Data Users are responsible for understanding Yale’s data classifications, applying the classifications to the Yale Data under their control, and implementing the Minimum Security Standards (MSS) for each classification.
Departments should assist Data Users within the department in understanding the security level of data to which the Data User has and will require access.
Questions about particular data and the applicable classification should be directed to Information Technology Services (ITS). Please contact the ITS Help Desk at 203-432-9000 with any questions.
Once the Data User has determined, in consultation with his/her department, the classification of data to which he/she has access, all devices through which the Data User will access Yale Data should be configured to meet the appropriate Minimum Security Standards (MSS). Data Users should contact the ITS Help Desk at 203-432-9000 to ensure the proper configuration of their devices.
All applications that create, access, store, or transmit Yale Data must be approved for the data classification they utilize. All Data Users are responsible for ensuring the applications they use in conjunction with Yale Data are approved for the data’s classification level. A list of approved applications for each data classification can be found here: Yale Approved Services.
Applications not appearing on the list of approved applications may not be used in conjunction with Moderate Risk or High Risk Data unless the Yale Information Security Office first completes a Security Design Review (SDR) and approves the application. Information about initiating a SDR can be found here: Security Design Review Process.
If a Data User’s role changes in such a way that he/she will require access to a higher level of secure data, the Data User should contact ITS Help Desk at 203-432-9000 to receive guidance and assistance in appropriately elevating any necessary security measures. Every Data User is responsible for ensuring the appropriate level of security for the data they use. Contacting ITS is the surest way to ensure compliance with the policy.
Although compliance with Policy 1604 Data Classification Policy and this procedure will minimize incidents, it is possible that Data Users may occasionally and unintentionally access Yale Data in a classification level above their usual security level. In such instances, Data Users should contact their supervisor to confirm whether there is a business justification for accessing the higher classification of data. If the Data User does not require access to this classification of data, the Data User is responsible for contacting the ITS Help Desk to ensure proper removal and incident tracking. If the Data User does require access to this classification of data, the Data User should contact the ITS Help Desk at 203-432-9000 to configure his/her devices for the appropriate level of data security.
In general, all Yale Data Users must comply with the standards set forth in Policy 1604 Data Classification Policy and this procedure. If a Data User believes he/she has a valid business justification for an exception to the standards, the Data User should submit an Exception Request to the Information Security Office. Data Users may not deviate from the standards unless and until the Information Security Office approves the exception request.