
You use Yale data every day. You use Yale IT Systems to access, store, and share that data. But can we trust any IT System to secure data the same way? Unfortunately, no. The good news is Yale has three risk classifications: high, moderate, and low. When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.
Visit the Know Your Risk Toolkit

Classify your data
Yale’s Data Classification Policy puts our data into three risk levels: high, moderate, and low. The data classification guideline helps you know the risk level of your data. Yale's Data Classification Questionnaire can help you classify your data. It also determines if the data is subject to common external obligations (e.g. HIPAA, PCI, FERPA).
Data Classification Guideline
All types of data can be classified as high, moderate, or low. View the Data Classification Guideline.
Data Classification Questionnaire
Answer questions to determine the data's classification and if external obligations apply. Take the Data Classification Questionnaire.

Classify your Yale IT System
You use multiple Yale IT Systems every day. Do we need to spend the same amount of time and money protecting all systems the same way? Of course not. All Yale IT Systems have a risk classification. The higher the risk classification, the more security requirements apply. We call these security requirements Yale's Minimum Security Standards.
Why would I need to classify a Yale IT System?
The risk classification of Yale IT Systems applies to you based on how you interact with the Yale IT System. Users, support providers, and decision-makers all need to know about risk classification.
Risk Classification Guideline
We classify Yale IT Systems based on the following three elements:
- Data Classification
- Availability Requirement
- External Obligations
Learn how to classify IT Systems and how that applies to your role.
Risk Classification of Commonly Used Services at Yale
We outline the risk classification of commonly used services here at Yale. This indicates the risk level (high, moderate, low) of work allowed on the service. Use the Service Classification page to help you ensure the work you're doing on these services matches or is lower than the risk level listed.

Yale's Information Security Policies & Standards
Yale's Information Security Policy Base is a collection of all cybersecurity requirements.
Yale's Minimum Security Standards (MSS) put all current security requirements in one place.
Yale's Information Security Policy Base
Our policy base consists of policies, standards, procedures, and guidelines.
What are the Minimum Security Standards (MSS)?
The MSS are baseline requirements for securing Yale IT Systems by risk. The risk classification of the Yale IT system determines which standards to apply.
Minimum Security Standards (MSS)
All Yale IT Systems must meet the MSS for their risk classification.
View the Minimum Security Standards