YALE-MSS-1.1.1: Classify the IT System as high, moderate, or low risk based on data classification, availability requirements, and external obligations

Standard:
YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards

YALE-MSS-1.1.1: Classify the IT System as high, moderate, or low risk based on data classification, availability requirements, and external obligations

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

Visit the Risk Classification Guideline (cybersecurity.yale.edu/riskclassification) for more information on how to classify Yale IT Systems. This will provide insight into the three elements of risk classification:

  • Data classification
  • Availability requirement
  • External obligations

Risk classification ensures we protect Yale IT Systems based on the risk they carry.

Here at Yale, we classify systems as high, moderate, or low risk. This classification determines which Minimum Security Standards are required for the system.

Risk classification is determined based on the three elements:

  • Data classification determines how sensitive or confidential the data is.
  • Availability requirement determines how long the IT System can be unavailable for before impacting operations.
  • External obligations determine if there are extra security obligations to apply to the IT System.

These three elements ensure we protect the confidentiality, integrity, and availability of our IT Systems based on their risk. You can read more about how to determine these elements of risk in our supporting guidelines:

The guidelines above can help you determine your risk for the three elements. In addition, the questions below can help you through the process of deciding your risk level for each element of risk classification.

Data classification:

  • Do you know all of the data in use? This includes any Yale Data accessed, created, stored, transmitted, and/or received by the Yale IT System you are building or using.
  • What is the highest data classification in use? This is the data classification of the IT System.

Availability requirement:

  • What is the risk to operations if the IT System becomes unavailable due to a disruption?
  • What is the academic function this IT System provides?
  • How critical is this business or academic function to your daily work?
  • Is there a backup in place? If yes, how long can you function with that backup plan if the IT System were unavailable?

External obligations:

  • Is the IT System subject to any regualtory obligations such as HIPAA, PCI, or FERPA?
  • Are there any contractual agreements in place regarding this IT System? If yes, does that contract require increased security standards beyond the MSS?