Yale's Information Security policy base ensures we secure Yale's data and IT Systems. Our policy base includes University IT and regulatory policies that include cybersecurity requirements. Regulatory policies include University HIPAA and PCI policies that include cybersecurity requirements.
This page puts all University policies that include cybersecurity requirements in one place. Our Information Security Policy Base consists of four policy artifact types:
- Policies identify the issue and scope. They explain why we need to do something to keep Yale secure.
- Standards explain what needs to happen to follow policies.
- Procedures explain how to do the standards by establishing the proper steps to take.
- Guidelines provide extra, recommended guidance for meeting policies and standards.
Below you will find a collection of all IT Security policies from the University policy base. These are organized by the University Policy number. We include links to the supporting standards, procedures, and guidelines for each policy.
This policy establishes requirements for access to and stewardship of Yale Data.
Yale holds Social Security Numbers (SSNs) for business and/or legal purposes. The purpose of this policy is to protect those SSNs in compliance with Connecticut Law.
Social Security Numbers are high risk data. IT Systems that access SSNs are required to meet the high risk Minimum Security Standards.
This Policy ensures the community secures Yale Data based on its sensitivity. This Policy classifies Yale data into three risk levels: high, moderate, and low risk. This policy protects the confidentiality, availability, and integrity of Yale Data and ensures compliance with the law.
This Policy provides the appropriate use of Yale’s IT resources. This includes the University’s access to information about these resources.
This policy establishes how to maintain the security of Yale Data on mobile devices.
This policy controls the re-use and disposal of devices containing confidential Yale Data. This is high-risk data, including electronic Protected Health Information (ePHI).
This policy defines systems and network security requirements to protect Yale's electronic resources.
- 1610 PR.01: Systems and Network Security
- 1610 PR.02: Disposal of Obsolete Computers and Peripherals
- 1610 PR.03: Network Configuration Security
- 1610 PR.04: Multifactor Authentication
- 1610 PR.05: Device Security Standards
Policy 1604 and 1610 work together to protect Yale Data and IT Systems. Yale's MSS are baseline requirements for securing Yale IT Systems based on risk.
This policy is about protecting customer financial information and other covered data. This policy exists to protect private information and comply with federal law.
The data described in Policy 1611 is considered High Risk data. Follow Yale's Minimum Security Standards for High Risk Data to protect this data appropriately. Read the policy to figure out what types of data this includes.
This policy provides direction on appropriately obtaining and using software. This includes Yale-authored software and software licenses. Each user must be aware of the Software License restrictions for the software they use.
One of the best things you can do to stay secure is to keep your software up to date. See our Apply Updates page for more details.
This policy sets forth change control requirements for Yale IT Systems. This includes modifications implemented by vendors and external organizations (third-party/cloud services).
University HIPAA Information Security Policies
Yale University is committed to providing the highest quality health care. This includes respecting patients' and research participants' privacy of their health information.
The standards for protecting health information are described in the federal law HIPAA. HIPAA stands for the Health Insurance Portability and Accountability act. Yale's HIPAA policies are designed to ensure compliance with the HIPAA security rule.
This policy outlines Yale's security requirements for protecting patient records. These requirements are to ensure compliance with the HIPAA Security Rule.
This policy was developed to protect against unauthorized physical access to protected health information (PHI) in all formats (electronic or ePHI, paper video, audio etc.). This policy covers PHI on campus and on non-Yale property.
HIPAA Policy 5123: Electronic Communication of Health-Related Information (Email, Voice Mail, and other Electronic Messaging Systems)
This policy establishes standards for the electronic transmission of Protected Health Information (“PHI”). These standards are required to protect the security and privacy of electronic PHI. This policy applies to all electronic transmission of PHI. This includes, but is not limited to, email, instant messaging, and voice mail.
Yale personnel must use a yale.edu email account to send and receive PHI. They must not use any other email accounts for that purpose. Currently, this @yale.edu account must be an Office 365 account. EliApps accounts are not approved for electronic transmission of PHI.
This policy is in place to prevent security violations on HIPAA source systems. This includes identifying, categorizing, monitoring and reviewing source systems appropriately.
University PCI Information Security Policies
PCI DSS is the Payment Card Industry Data Security Standards. Our University has policies in place to ensure compliance with PCI DSS. These policies apply to anyone accepting Payment Card payments for University business. Below is a list of Yale's PCI Information Security policies.
Yale's Minimum Security Standards (MSS)
Did you know this page represents over 170 pages of policies and procedures? We have consolidated all Yale's security policies, procedures, and practices into one place. These baseline security requirements are known as Yale's Minimum Security Standards (MSS). We've saved you the time of reading 170+ pages of policy by putting them all in one place.