Yale's Information Security policy base ensures we secure Yale's data and IT Systems. Our policy base includes University IT and regulatory policies that include cybersecurity requirements. Regulatory policies include University HIPAA and PCI policies that include cybersecurity requirements.
This page puts all University policies that include cybersecurity requirements in one place. Our Information Security Policy Base consists of four policy artifact types:
- Policies identify the issue and scope. They explain why we need to do something to keep Yale secure.
- Standards explain what needs to happen to follow policies.
- Procedures explain how to do the standards by establishing the proper steps to take.
- Guidelines provide extra, recommended guidance for meeting policies and standards.
Below you will find a collection of all IT Security policies from the University policy base. These are organized by the University Policy number. We include links to the supporting standards, procedures, and guidelines for each policy.
Yale Policy 1601: Information Access and Security
This policy establishes requirements for access to and stewardship of Yale Data.
Policy 1602: Protecting the Security and Confidentiality of Social Security Numbers
Yale holds Social Security Numbers (SSNs) for business and/or legal purposes. The purpose of this policy is to protect those SSNs in compliance with Connecticut Law.
Social Security Numbers are high risk data. IT Systems that access SSNs are required to meet the high risk Minimum Security Standards.
Policy 1604: Data Classification Policy
This Policy ensures the community secures Yale Data based on its sensitivity. This Policy classifies Yale data into three risk levels: high, moderate, and low risk. This policy protects the confidentiality, availability, and integrity of Yale Data and ensures compliance with the law.
Policy 1607: Information Technology Appropriate Use Policy
This Policy provides the appropriate use of Yale’s IT resources. This includes the University’s access to information about these resources.
Policy 1608: Mobile Device Management Policy
This policy establishes how to maintain the security of Yale Data on mobile devices.
Policy 1609: Media Control
This policy controls the re-use and disposal of devices containing confidential Yale Data. This is high-risk data, including electronic Protected Health Information (ePHI).
Policy 1610: Systems and Network Security
This policy defines systems and network security requirements to protect Yale's electronic resources.
- 1610 PR.01: Systems and Network Security
- 1610 PR.02: Disposal of Obsolete Computers and Peripherals
- 1610 PR.03: Network Configuration Security
- 1610 PR.04: Multifactor Authentication
- 1610 PR.05: Device Security Standards
Policy 1604 and 1610 work together to protect Yale Data and IT Systems. Yale's MSS are baseline requirements for securing Yale IT Systems based on risk.
Policy 1611: Program for Security of Customer Financial and Related Data
This policy is about protecting customer financial information and other covered data. This policy exists to protect private information and comply with federal law.
The data described in Policy 1611 is considered High Risk data. Follow Yale's Minimum Security Standards for High Risk Data to protect this data appropriately. Read the policy to figure out what types of data this includes.
Policy 1612: Software Licensing
This policy provides direction on appropriately obtaining and using software. This includes Yale-authored software and software licenses. Each user must be aware of the Software License restrictions for the software they use.
One of the best things you can do to stay secure is to keep your software up to date. See our Apply Updates page for more details.
Policy 1613: Electronic Signatures and Records
This policy defines requirements for maintaining records in electronic form. This includes how to use electronic signatures for those with signature authority.
Policy 1614: Vulnerability Management
Policy 1615: Information Technology Infrastructure and Applications Change Management Policy
This policy sets forth change control requirements for Yale IT Systems. This includes modifications implemented by vendors and external organizations (third-party/cloud services).
University HIPAA Information Security Policies
Yale University is committed to providing the highest quality health care. This includes respecting patients' and research participants' privacy of their health information.
The standards for protecting health information are described in the federal law HIPAA. HIPAA stands for the Health Insurance Portability and Accountability act. Yale's HIPAA policies are designed to ensure compliance with the HIPAA security rule.
Below is a collection of all IT Security policies from the University HIPAA policy base. This includes any HIPAA policy about protecting electronic protected health information (ePHI). These policies apply to anyone in Yale's HIPAA covered entity.
HIPAA Policy 5100: Protected Health Information (PHI) Security Compliance
This policy outlines Yale's security requirements for protecting patient records. These requirements are to ensure compliance with the HIPAA Security Rule.
HIPAA Policy 5111: Physical Security Policy
This policy was developed to protect against unauthorized physical access to protected health information (PHI) in all formats (electronic or ePHI, paper video, audio etc.). This policy covers PHI on campus and on non-Yale property.
HIPAA Policy 5123: Electronic Communication of Health-Related Information (Email, Voice Mail, and other Electronic Messaging Systems)
This policy establishes standards for the electronic transmission of Protected Health Information (“PHI”). These standards are required to protect the security and privacy of electronic PHI. This policy applies to all electronic transmission of PHI. This includes, but is not limited to, email, instant messaging, and voice mail.
Yale personnel must use a yale.edu email account to send and receive PHI. They must not use any other email accounts for that purpose. Currently, this @yale.edu account must be an Office 365 account. EliApps accounts are not approved for electronic transmission of PHI.
HIPAA Policy 5142: Information System Activity Review
This policy is in place to prevent security violations on HIPAA source systems. This includes identifying, categorizing, monitoring and reviewing source systems appropriately.
HIPAA Policy 5143: IT Security Incident Response
For details on how to identify and report an incident, see our Report an Incident page.
University PCI Information Security Policies
PCI DSS is the Payment Card Industry Data Security Standards. Our University has policies in place to ensure compliance with PCI DSS. These policies apply to anyone accepting Payment Card payments for University business. Below is a list of Yale's PCI Information Security policies.
Policy 2820: Acceptance of Credit & Debit Card Payments
We are here to help you keep Yale secure. For any questions on how to meet and maintain these policies, send us an email.
Yale's Minimum Security Standards (MSS)
Did you know this page represents over 170 pages of policies and procedures? We have consolidated all Yale's security policies, procedures, and practices into one place. These baseline security requirements are known as Yale's Minimum Security Standards (MSS). We've saved you the time of reading 170+ pages of policy by putting them all in one place.