Skip to main content
This picture shows people working on a whiteboard to figure out their risk classification.

Know Your Risk

know your risk icon

You use Yale data every day. You use Yale IT Systems to access, store, and share that data. But can we trust any IT System to secure data the same way? Unfortunately, no. The good news is Yale has three risk classifications: high, moderate, and low. When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.

Visit the Know Your Risk Toolkit


This image shows data displayed on a computer and mobile device. The computer and mobile device need to be secured to protect that data, based on its classification.

Classify your data

Yale’s Data Classification Policy puts our data into three risk levels: high, moderate, and low. The data classification guideline helps you know the risk level of your data. Yale's Data Classification Questionnaire can help you classify your data. It also determines if the data is subject to common external obligations (e.g. HIPAA, PCI, FERPA).

But can we trust any IT System to secure data the same way? Unfortunately, no.

Data Classification Guideline

All types of data can be classified as high, moderate, or low. View the Data Classification Guideline. 

Data Classification Questionnaire

Answer questions to determine the data's classification and if external obligations apply. Take the Data Classification Questionnaire.

A person is trying to figure out their risk based on different elements.

Classify your Yale IT System

You use multiple Yale IT Systems every day. Do we need to spend the same amount of time and money protecting all systems the same way? Of course not. All Yale IT Systems have a risk classification. The higher the risk classification, the more security requirements apply. We call these security requirements Yale's Minimum Security Standards.

Why would I need to classify a Yale IT System?

The risk classification of Yale IT Systems applies to you based on how you interact with the Yale IT System. Users, support providers, and decision-makers all need to know about risk classification.

When you know your risk, you know how to work securely.

Risk Classification Guideline

We classify Yale IT Systems based on the following three elements: 

  • Data Classification 
  • Availability Requirement 
  • External Obligations 

Learn how to classify IT Systems and how that applies to your role.

View the Risk Classification Guideline

Risk Classification of Commonly Used Services at Yale

We outline the risk classification of commonly used services here at Yale. This indicates the risk level (high, moderate, low) of work allowed on the service. Use the Service Classification page to help you ensure the work you're doing on these services matches or is lower than the risk level listed.

Find secure services that match your risk classification

This is meant to represent someone reading Yale's policies on their computer.

Yale's Information Security Policies & Standards

Yale's Information Security Policy Base is a collection of all cybersecurity requirements.

Yale's Minimum Security Standards (MSS) put all current security requirements in one place. 


Each of these artifacts plays a role in ensuring we know how to protect Yale's Data and IT Systems. 

Yale's Information Security Policy Base

Our policy base consists of policies, standards, procedures, and guidelines.

View Yale's Information Security Policy Base

What are the Minimum Security Standards (MSS)?

The MSS are baseline requirements for securing Yale IT Systems by risk. The risk classification of the Yale IT system determines which standards to apply.

Minimum Security Standards (MSS)

All Yale IT Systems must meet the MSS for their risk classification.

View the Minimum Security Standards