Notice: Instructure Security Incident & Canvas Updates

Yale ITS is monitoring a reported cybersecurity incident affecting Instructure, the vendor behind Canvas. At this time, there is no known significant impact to Canvas services at Yale, and updates will be shared as more information becomes available.

Read More

Critical vulnerability in all versions of Linux.

Critical vulnerability in all versions of Linux. Please check with your vendor for updates and plan to apply patches as soon as possible. For more information, see: https://xint.io/blog/copy-fail-linux-distributions

Read More

YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place

Standards Group:
YALE-MSS-1: System Classification

YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

Disclosing data to a third-party increases risk. To properly address this, additional contracts may be required.

If moderate or high-risk data is shared with a third-party, a Data Addendum (DA) between Yale and the third-party is required. In addition, if electronic protected health information (ePHI) is disclosed to a third-party, a Business Associates Agreement (BAA) is required.

Third-parties are responsible for meeting training requirements. Training requirements should be covered in contracts when applicable. Contracts should require that third-parties ensure that anyone who performs work under their agreement receives annual instruction and/or training to comply with the provisions of their contract(s) with Yale.

Require third-parties notify Yale of a security incident within 72 hours of a discovery of a confirmed incident.

Controls