Protect your data

Good data security is about more than confidentiality - it’s about protecting academic and business data against loss due to accident or technical problems.

Levels of Data Security at Yale

Data Risk Classification | Server Risk | Application Risk | Approved Services

“Yale has created a Data Classification Policy that divides Yale Data into three types, depending on their importance, sensitivity, and potential for misuse:

Low Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  1. Yale chooses or is required to disclose them to the public
  2. The loss of their confidentiality, integrity, or availability would cause no harm to Yale’s mission, safety, finances, or reputation.

Moderate Risk

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

  1. They are not available to the public
  2. The loss of their confidentiality, integrity, or availability could cause limited harm to Yale’s mission, safety, finances, or reputation.

High Risk

Data and systems are classified as High Risk if:

  1. They could be exploited for criminal or other wrongful purposes and Yale is obligated by statute or regulation to keep them confidential
  2. Yale is contractually obligated to keep them confidential
  3. They identify an individual and would customarily be shared only with the individual’s family, doctor, lawyer, or accountant
  4. They are critical to Yale’s ability to perform one of its essential academic, health care, or business functions and cannot be replaced easily with backup copies.

Data Risk Classification Examples

Low Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  • Information that Yale has made available to the public on its website
  • Policy and procedure manuals designated by Yale as public
  • Job postings
  • Yale directory information not designated by the individual as “private”
  • Information in the public domain
  • Publicly available campus maps

Moderate Risk

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

  • Unpublished research data
  • Student and applicant data
  • Employment applications and personnel files
  • Non-public contracts
  • Internal memos and email, non-public reports, budgets, plans, and financial information
  • Engineering, design, and operational information regarding Yale infrastructure
  • University Net IDs

High Risk

Data and systems are classified as High Risk if:

  • Personally identifiable patient and human subject information
  • Social Security, driver’s license, and passport numbers
  • Credit card and bank account numbers
  • Export controlled information under U.S. laws
  • Confidential information about Yale donors
  • Databases used for payroll, tax, health care, and other critical functions
  • Information pertaining to animal research protocols and researchers

Server Risk Classification Examples

A server is defined as a host that provides a network accessible services.

View Minimum Security Standards.

Low Risk

These servers do not access, store, create or transmit any Moderate or High Risk Data. Examples include:

  • Servers used for research computing purposes that do not include Moderate or High Risk data.
  • File server used to store data available to the public.
  • Database server containing data available to the public.

Moderate Risk

These servers handle Moderate Risk Data and do not access, store, create or transmit any High Risk Data. Examples include:

  • Database of non-public University contracts
  • File server containing non-public procedures/ documentation
  • Database server containing student records

High Risk

These servers handle High Risk Data. Examples include:

  • Servers managing access to other systems
  • University IT and departmental email systems
  • Active Directory
  • DNS
  • Database or file servers containing personally identifiable patient or human subject data.

Application Risk Classification Examples

Low Risk

These applications handle Low Risk Data and do not access, store, create or transmit any Moderate or High Risk Data. Examples include:

  • Applications handling Low Risk Data
  • Online maps
  • University online catalog displaying academic course descriptions
  • Shuttle schedules

Moderate Risk

These applications handle Moderate Risk Data and do not access, store, create or transmit any High Risk Data. Examples include:

  • HR applications storing employee and salary information
  • University Directory
  • Yale Alert – application distributing information in the event of a campus emergency
  • Online applications for student admissions

High Risk

These applications can access, store, create or transmit High Risk Data. Examples include:

  • Application storing SSNs
  • Application storing campus network node information
  • Application collecting personal information of donor, alumnus, or any other individual.
  • Application that processes credit card payments