Minimum Security Standards

These standards are intended to reflect the minimum-security configurations necessary for devices that create, access store or transmit Yale data. Devices should be configured in accordance with the highest data classification used on the device.

Every data user is responsible for ensuring the appropriate level of security for the data they use. More information on this requirement can be found in Procedure 1107 PR.01.

Please note that these standards will be revised and updated accordingly to ensure and compliance with current cybersecurity best practices.

Endpoint Security Configuration | Additional For Server Computers | Mobile Devices

ENDPOINT SECURITY CONFIGURATION
SECURITY CONTROL HIGH RISK DATA MODERATE RISK DATA LOW RISK DATA
Whole Disk Encryption Required Required Recommended
No Administrative Privileges Required Required Recommended
Device/System Registration Required Required Recommended
Use Private IP Address Required Required Recommended
Enrollment in ITS Endpoint Management Required Required Recommended
Operating System Required Required Required
Patching/Updates Installed within 30 days of release
*automatic patching recommended*
Required Required Required
Anti-Virus/Endpoint Protection Installed & Active Required- Managed AV Required- Managed AV Required
Enrollment in Enterprise Active Directory Required Required Recommended
Use Enterprise Authentication Required Required Recommended
Automatic Network Backup Required Required Recommended
Inactivity Lock Required – 15 minutes Required – 30 minutes Recommended – 1 hour or less
Don’t use applications considered harmful (e.g. P2P) Required Required Recommended
Do use approved External Messaging Applications Required Required Recommended
Procurement - Buy Yale Managed Computers Required Required Recommended
Physically secure (locks, etc.) Required Required Recommended
Have Professionally Managed Required Required Recommended

ADDITIONAL FOR SERVER COMPUTERS
SECURITY CONTROL HIGH RISK DATA MODERATE RISK DATA LOW RISK DATA
Configure using CIS Security Standards Required Required Required
Security Design Review (SDR) Required Required n/a
Separate web, database and file service functions by server Required Required Recommended
Professionally Managed by ITS or ITS-approved system admins Required Required Recommended
Physical Secure in ITS or ITS-Approved Data Centers Required Required Recommended
Secure on Yale ITS data center administered or approved fire- walled networks. Required Required Recommended
Use Web Applications Firewall Required Required Recommended
Access to data requires MFA Required Recommended Recommended
Data files require encryption Required Recommended Recommended

MOBILE DEVICES (smartphones, tablets)
SECURITY CONTROL HIGH RISK DATA MODERATE RISK DATA LOW RISK DATA
Lock with a password or PIN Required Required Recommended
Encrypt the device Required Required Recommended
Limit stored e-mail messages to 200 msgs or 14 days of msgs Required Required n/a
Use Yale approved apps Required Required n/a
Manufacturer Supported Operating System Required Required Required
Register with YaleConnect or a Yale approved mobile device management system Required Required Recommended
No tampering with device (“Jail breaking”) Required Required

Required for Yale owned mobile devices
Recommended for personally owned devices

PINs or passwords Required Required Recommended

For more details on the Minimum Security Standards configurations, view this PDF.

Additionally, any Data User creating, accessing, storing or transmitting personally identifiable patient information or human subject data is required to comply with the Yale University HIPAA Policy 5100.