No matter if we’re working with Yale data or our personal data, we can’t protect what we have if we don’t know what we have. Knowing the risk - or the sensitivity, confidentiality, or importance of our data - is the first step to protecting it correctly.
We use Yale data every day. We use Yale IT Systems to access, store, and share that data. We must ensure that where we put the data is built to keep our data safe.
To do this, Yale has three risk classifications: high, moderate, and low. When we match the risk classification of our data to the IT Systems we use, we ensure we are working securely.
When you Know Your Risk, you’re working securely in a way that makes sense!
Would you leave your wallet on the dashboard of your car? A better option might be to lock it away in your glove compartment. Or, better yet, carry the wallet with you. Simply put, knowing something’s risk allows us to protect it properly.
Some data is meant to be shared. Some data may be highly confidential. And some data will fall somewhere in between. Yale uses three classifications of risk that help us know how to protect the data we work with.
At Yale, not just data is given a risk classification. The IT Systems we work with are, too! To ensure we are working securely, we must match the risk of our data with a system that’s classified for an appropriate level of risk.
Know Your Risk 101
The Goldilocks Dilemma
Knowing your risk is all about protecting our data and systems based on the risk they carry.
Does it make sense to pay $100 dollars for a lock to protect a $50 bike? Would you make your credit card information publicly available for strangers to see? Of course not.
Knowing your risk is about applying security based on what you are trying to protect.
Remember the story of Goldilocks and the Three Bears?
This is an easy way to remember why knowing your risk is so important.
Doing “too little” security
If we don’t apply enough security to our data and systems, we are putting our important information at risk.
At Yale, doing too little can have major financial and reputational consequences. It can also make our data and systems unavailable when we need them most.
At home, doing too little puts what’s important to you at risk. This can result in financial loss, identity theft, or exposure to your private data.
Doing “too much” security
Doing too much security can also be a costly mistake. Security controls cost money, time, and resources to maintain. Not only does this cost resources, it doesn’t always support the work we are doing.
Yale requires an open technology environment to deliver its mission. This means we can’t secure all data the same way.
The same goes for security at home. Do you store all your belongings in a safe or just the ones you value most? We want to apply this mentality to the way we protect our information online.
Getting security “just right”
Knowing our risk helps us get security “just right”.
This allows us to identify our most valuable data at Yale and at home and protect it as such. It also allows us to share data as needed.
Knowing our risk provides the balance we need to make security make sense. Without knowing the risk of the work we do, we can’t protect it appropriately.
Protect Yale data
No matter what you do at Yale, you play an important role in protecting your information.
Once you know the risk of the data you have, you need to protect it accordingly.
Stop. Don't share.
Yale data is classified as High Risk if:
- It can be exploited for criminal purposes.
- It would customarily be shared only with an individual's family, doctor, lawyer, accountant, etc.
- Yale is contractually obligated to keep the data confidential.
- The data is essential to the delivery of Yale's mission and is not easily replaceable.
Slow down. Think before you share.
Yale data is classified as Moderate Risk if:
- The data is hidden from public consumption.
- The loss of confidentiality, integrity, or availability of the data would cause harm to Yale’s mission or reputation.
Go ahead and share! It's public data.
Yale data is classified as Low Risk if:
- Yale allows the data to be disclosed to the public.
- The loss of this data would not cause any harm to Yale's mission or reputation.
Protecting Your Data
Protect your personal data
Protecting what you have is all about thinking of where you access and store your data. Is your high-risk data accessed and stored in a secure place? How can you be sure?
While there’s no official policy for protecting data at home, we should take the same precautions as we would at Yale. Know where your most sensitive and important information is and protect it accordingly.
Protecting Data at Yale
There are two key elements to consider when thinking about the risk of the data you have access to at Yale:
- Data classification identifies the sensitivity or confidentiality of the data
- External obligations determine if the data is subject to third-party controls (such as HIPAA, FERPA, PCI, etc.)
Tips & Tools to classify your data:
Watch the following short video to find out more about data classifications and external obligations at Yale.
Next, review the Data Classification Questionnaire to help determine your data's risk classification and external obligations. This questionnaire is a set of questions to help you:
- Align the sensitivity of your data with a risk level of high, moderate, or low.
- Determine if your data is subject to any common external obligations used at Yale.
How Yale Protects Data and IT Systems Based on Risk
At Yale, we protect systems based on risk using our Minimum Security Standards (MSS). The MSS are baseline security requirements for protecting Yale IT Systems based on the risk they carry.
All Yale IT Systems must meet and maintain these security requirements based on their risk level. Some systems are built to meet the High Risk MSS, meaning they are a secure place to access and store High Risk data. Other systems are only built to secure moderate or Low Risk data.
What is my role in protecting the Yale data I work with every day?
As a user of Yale’s data, you are responsible for:
- Knowing the risk of the data you work with every day.
- Ensuring you are accessing and storing your data in a system that is built to protect that risk level.
Make Your Match
At Yale, we classify our data and systems based on risk - high, moderate, or low. As users, we must know the risk classification of the data we use.
To ensure we are working securely, we must match the risk of our data with a system that protects that level of risk. This is what it means to “Make Your Match”.
Two ways to make your match
Choose an existing service that matches the classification of your work.
Yale maintains a list of commonly used services by risk classification. To view this list, see the webpage Know Your Risk: Find services that can meet your risk classification.
Build or purchase a new system and ensure it meets the Minimum Security Standards for your risk level.
For details on understanding and applying the MSS, view Yale's MSS webpage.
Make Your Match Example
As an example, let’s consider a group of users that needs to store High Risk data files securely. They can either:
Choose an existing service. For example, Microsoft Teams is a file sharing and storage service that is classified for High Risk data.
Build or purchase their own service. The service must be configured to meet the High Risk Minimum Security Standards.
No matter what option the group chooses, they are working securely! This is because they are either using an existing service or configuring a new one that will meet the MSS for the classification of their work (High Risk).
Can I store High Risk data in a Moderate Risk service?
What if this group wanted to use Yale Box? Yale Box is only built to secure Moderate Risk data. If you find you are currently accessing or storing data in a service that is not protected for your risk level or higher, talk to your supervisor. As a member of the Yale community, we all have a responsibility to protect Yale's data.
Additional resources to build your cyber muscles!
- Download our Know Your Risk infographic
- Yale’s Risk Classification Guideline
- Yale Information Security Policy Base
- Yale’s Minimum Security Standard (MSS)
- Security Planning Assessment (SPA) process for new, updated, and third-party applications
- Find secure services that match your risk classification
- Sign up for cybersecurity awareness alerts and subscribe to our Bee Cyber Fit monthly tip, newsletter, and podcast
- Request cybersecurity awareness training, presentations, and activities for your team or department