Not all data is created equally – some data is highly confidential and some data can be shared with others. When we know the risk of our data, we ensure we’re working securely.
The foundation of being good stewards of Yale’s data and systems starts with two key actions:
- Knowing our risk - No matter if we’re working with Yale data or our personal data, we can’t protect what we have if we don’t know what we have.
- Making our match - We can ensure we’re working securely by matching the risk of our data with systems that can accommodate that risk.
Knowing and matching the risk of our data is especially important when using new, unfamiliar, or free tools and applications.
Know Your Risk
Yale’s data classification policy identifies the sensitivity of the data we work with. The risk of data and systems is classified as High, Moderate, or Low.
An easy way to remember this is with our stoplight model. For more information, see Yale's Data Classification Policy or Data Classification Questionnaire.
High Risk
Stop. Don't share.
Yale data is classified as High Risk if:
- It can be exploited for criminal purposes.
- It would customarily be shared only with an individual's family, doctor, lawyer, accountant, etc.
- Yale is contractually obligated to keep the data confidential.
- The data is essential to the delivery of Yale's mission and is not easily replaceable.
Moderate Risk
Slow down. Think before you share.
Yale data is classified as Moderate Risk if:
- The data is hidden from public consumption.
- The loss of confidentiality, integrity, or availability of the data would cause harm to Yale’s mission or reputation.
Low Risk
Go ahead and share! It's public data.
Yale data is classified as Low Risk if:
- Yale allows the data to be disclosed to the public.
- The loss of this data would not cause any harm to Yale's mission or reputation.
If you’re unsure about the risk classification of your data, view Yale's Data Classification Policy and use our Data Classification Questionnaire for additional guidance.
Make Your Match
To ensure we’re working securely, we must match the risk of our data with a system that protects that level of risk. This is what it means to “Make Your Match”.
At Yale, there are two ways to make your match:
- Choose an existing service that matches the classification of our work. For help with this, visit Know Your Risk: Find services that can meet your risk classification.
- Use a new system that meets Yale’s Minimum Security Standards (MSS) for the risk level. For details on understanding and applying the MSS, view Yale’s MSS webpage.
In today's world, many free applications claim to make your work or life easier. However, they are usually not secure enough for sensitive data. This means they cannot be used for Yale High or Moderate Risk data without a security assessment. These "free" applications are often reading, collecting, or sharing our data. It's critical that we're aware of the data we put into third-party applications.
The Information Security Office (ISO) offers the Security Planning Assessment (SPA) process. The SPA process can confirm if services are secure for the risk classification of your work.
Additional Tips for Keeping Data Safe
Use these general tips to help further protect your data:
- Use secure passwords and enable multifactor authentication wherever possible.
- Apply updates as soon as possible to keep your systems and software up to date.
- Click with caution and only share sensitive information with trusted sources online.
- Be safe, not sorry and report suspicious cyber activity right away.