Skip to main content
This shows the inside of Yale Law School.

Yale's Information Security Policy Base

Yale's Information Security policy base ensures we secure Yale's data and IT Systems. Our policy base includes University IT and regulatory policies that include cybersecurity requirements. Regulatory policies include University HIPAA and PCI policies that include cybersecurity requirements. 


This is meant to represent someone reading Yale's policies on their computer.

This page puts all University policies that include cybersecurity requirements in one place. Our Information Security Policy Base consists of four policy artifact types:

  • Policies identify the issue and scope. They explain why we need to do something to keep Yale secure.
  • Standards explain what needs to happen to follow policies.
  • Procedures explain how to do the standards by establishing the proper steps to take.
  • Guidelines provide extra, recommended guidance for meeting policies and standards.
Each of these policy artifacts plays a role in ensuring we know what to do to keep Yale secure. 

Below you will find a collection of all IT Security policies from the University policy base. These are organized by the University Policy number. We include links to the supporting standards, procedures, and guidelines for each policy.

Policy 1602: Protecting the Security and Confidentiality of Social Security Numbers

Yale holds Social Security Numbers (SSNs) for business and/or legal purposes. The purpose of this policy is to protect those SSNs in compliance with Connecticut Law.

Supporting standards: 

Social Security Numbers are high risk data. IT Systems that access SSNs are required to meet the high risk Minimum Security Standards

Policy 1604: Data Classification Policy

This Policy ensures the community secures Yale Data based on its sensitivity. This Policy classifies Yale data into three risk levels: high, moderate, and low risk. This policy protects the confidentiality, availability, and integrity of Yale Data and ensures compliance with the law.

Supporting standards

Supporting procedures: 

Supporting guidelines: 

Policy 1607: Information Technology Appropriate Use Policy

This Policy provides the appropriate use of Yale’s IT resources. This includes the University’s access to information about these resources.

Supporting standards: 

Supporting procedures: 

Policy 1608: Mobile Device Management Policy

This policy establishes how to maintain the security of Yale Data on mobile devices.

Supporting standards: 

Supporting procedures:

Policy 1609: Media Control 

This policy controls the re-use and disposal of devices containing confidential Yale Data. This is high-risk data, including electronic Protected Health Information (ePHI).

Supporting standards: 

Supporting procedures: 

Policy 1604 and 1610 work together to protect Yale Data and IT Systems. Yale's MSS are baseline requirements for securing Yale IT Systems based on risk.

Policy 1611: Program for Security of Customer Financial and Related Data 

This policy is about protecting customer financial information and other covered data. This policy exists to protect private information and comply with federal law. 

Supporting Standards: 

The data described in Policy 1611 is considered High Risk data. Follow Yale's Minimum Security Standards for High Risk Data to protect this data appropriately. Read the policy to figure out what types of data this includes. 

Policy 1612: Software Licensing 

This policy provides direction on appropriately obtaining and using software. This includes Yale-authored software and software licenses. Each user must be aware of the Software License restrictions for the software they use.

One of the best things you can do to stay secure is to keep your software up to date. See our Apply Updates page for more details. 

Policy 1613: Electronic Signatures and Records 

This policy defines requirements for maintaining records in electronic form. This includes how to use electronic signatures for those with signature authority. 

Supporting Procedures: 

Policy 1615: Information Technology Infrastructure and Applications Change Management Policy

This policy sets forth change control requirements for Yale IT Systems. This includes modifications implemented by vendors and external organizations (third-party/cloud services). 

Supporting Standards: 

Supporting Procedures: 

This shows a computer with a stethoscope next to it.

University HIPAA Information Security Policies 

Yale University is committed to providing the highest quality health care. This includes respecting patients' and research participants' privacy of their health information. 

The standards for protecting health information are described in the federal law HIPAA. HIPAA stands for the Health Insurance Portability and Accountability act. Yale's HIPAA policies are designed to ensure compliance with the HIPAA security rule. 

Below is a collection of all IT Security policies from the University HIPAA policy base. This includes any HIPAA policy about protecting electronic protected health information (ePHI). These policies apply to anyone in Yale's HIPAA covered entity.  

HIPAA Policy 5100: Protected Health Information (PHI) Security Compliance

This policy outlines Yale's security requirements for protecting patient records. These requirements are to ensure compliance with the HIPAA Security Rule. 

Supporting Standards: 

Supporting Guidelines: 

HIPAA Policy 5111: Physical Security Policy

This policy was developed to protect against unauthorized physical access to protected health information (PHI) in all formats (electronic or ePHI, paper video, audio etc.). This policy covers PHI on campus and on non-Yale property. 

Supporting Standards: 

Supporting Procedures: 

HIPAA Policy 5123: Electronic Communication of Health-Related Information (Email, Voice Mail, and other Electronic Messaging Systems)

This policy establishes standards for the electronic transmission of Protected Health Information (“PHI”). These standards are required to protect the security and privacy of electronic PHI. This policy applies to all electronic transmission of PHI. This includes, but is not limited to, email, instant messaging, and voice mail.

Supporting Standards: 

Yale personnel must use a email account to send and receive PHI. They must not use any other email accounts for that purpose. Currently, this account must be an Office 365 account. EliApps accounts are not approved for electronic transmission of PHI.

HIPAA Policy 5142: Information System Activity Review 

This policy is in place to prevent security violations on HIPAA source systems. This includes identifying, categorizing, monitoring and reviewing source systems appropriately.  

Supporting Standards: 

Supporting Procedures: 

HIPAA Policy 5143: IT Security Incident Response 

Supporting Standards: 

For details on how to identify and report an incident, see our Report an Incident page.

This shows a person swiping their credit card at a store. PCI policies are in place to protect credit card information.

University PCI Information Security Policies 

PCI DSS is the Payment Card Industry Data Security Standards. Our University has policies in place to ensure compliance with PCI DSS. These policies apply to anyone accepting Payment Card payments for University business. Below is a list of Yale's PCI Information Security policies. 

Need help?

We are here to help you keep Yale secure. For any questions on how to meet and maintain these policies, send us an email

Yale's Minimum Security Standards (MSS)

Did you know this page represents over 170 pages of policies and procedures? We have consolidated all Yale's security policies, procedures, and practices into one place. These baseline security requirements are known as Yale's Minimum Security Standards (MSS). We've saved you the time of reading 170+ pages of policy by putting them all in one place. 


View Yale's Minimum Security Standards (MSS)