Standard:
YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards
YALE-MSS-1.1.1: Classify the IT System as high, moderate, or low risk based on data classification, availability requirements, and external obligations
Details
Visit the Risk Classification Guideline (cybersecurity.yale.edu/riskclassification) for more information on how to classify Yale IT Systems. This will provide insight into the three elements of risk classification:
- Data classification
- Availability requirement
- External obligations
Risk classification ensures we protect Yale IT Systems based on the risk they carry.
Here at Yale, we classify systems as high, moderate, or low risk. This classification determines which Minimum Security Standards are required for the system.
Risk classification is determined based on the three elements:
- Data classification determines how sensitive or confidential the data is.
- Availability requirement determines how long the IT System can be unavailable for before impacting operations.
- External obligations determine if there are extra security obligations to apply to the IT System.
These three elements ensure we protect the confidentiality, integrity, and availability of our IT Systems based on their risk. You can read more about how to determine these elements of risk in our supporting guidelines:
The guidelines above can help you determine your risk for the three elements. In addition, the questions below can help you through the process of deciding your risk level for each element of risk classification.
Data classification:
- Do you know all of the data in use? This includes any Yale Data accessed, created, stored, transmitted, and/or received by the Yale IT System you are building or using.
- What is the highest data classification in use? This is the data classification of the IT System.
Availability requirement:
- What is the risk to operations if the IT System becomes unavailable due to a disruption?
- What is the academic function this IT System provides?
- How critical is this business or academic function to your daily work?
- Is there a backup in place? If yes, how long can you function with that backup plan if the IT System were unavailable?
External obligations:
- Is the IT System subject to any regualtory obligations such as HIPAA, PCI, or FERPA?
- Are there any contractual agreements in place regarding this IT System? If yes, does that contract require increased security standards beyond the MSS?