Protect Your Data

Good data security is about more than confidentiality - it’s about protecting academic and business data against loss due to accident or technical problems.

Data Risk Classification | Server Risk | Application Risk | Approved Services

Yale has created a Data Classification Policy that divides Yale Data into three types, depending on their importance, sensitivity, and potential for misuse:

Low Risk Moderate Risk High Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  1. Yale chooses or is required to disclose them to the public
  2. The loss of their confidentiality, integrity, or availability would cause no harm to Yale’s mission, safety, finances, or reputation.

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

  1. They are not available to the public
  2. The loss of their confidentiality, integrity, or availability could cause limited harm to Yale’s mission, safety, finances, or reputation.

Data and systems are classified as High Risk if:

  1. They could be exploited for criminal or other wrongful purposes and Yale is obligated by statute or regulation to keep them confidential
  2. Yale is contractually obligated to keep them confidential
  3. They identify an individual and would customarily be shared only with the individual’s family, doctor, lawyer, or accountant
  4. They are critical to Yale’s ability to perform one of its essential academic, health care, or business functions and cannot be replaced easily with backup copies.

Data Risk Classification Examples

View Minimum Security Standards.

Low Risk Moderate Risk High Risk

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  • Information that Yale has made available to the public on its website
  • Policy and procedure manuals designated by Yale as public
  • Job postings
  • Yale directory information not designated by the individual as “private”
  • Information in the public domain
  • Publicly available campus maps
  • Research data (barring any publication restrictions and at data owner’s discretion)

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

  • Non-public, University-owned research data not considered High Risk
  • Student and applicant data
  • Employment applications and personnel files
  • Non-public contracts
  • Internal memos and email, non-public reports, budgets, plans, and financial information
  • Engineering, design, and operational information regarding Yale infrastructure

Data and systems are classified as High Risk if:

  • Personally identifiable patient and human subject information
  • Social security, driver’s license, state identification card, and passport numbers 
  • Credit card and bank account numbers
  • Export controlled information under U.S. laws
  • Confidential information about Yale donors
  • Databases used for payroll, tax, health care, and other critical functions
  • Information pertaining to animal research protocols and researchers
  • A user name (e.g., Yale NetID) or email address in combination with a password or security question and answer that would permit access to an online account. 

Server Risk Classification Examples

A server is defined as a host that provides a network accessible services.

View Minimum Security Standards.

Low Risk Moderate Risk High Risk

These servers do not access, store, create or transmit any Moderate or High Risk Data. Examples include:

  • Servers used for research computing purposes that do not include Moderate or High Risk data.
  • File server used to store data available to the public.
  • Database server containing data available to the public.

These servers handle Moderate Risk Data and do not access, store, create or transmit any High Risk Data. Examples include:

  • Database of non-public University contracts
  • File server containing non-public procedures/ documentation
  • Database server containing student records

These servers handle High Risk Data. Examples include:

  • Servers managing access to other systems
  • University IT and departmental email systems
  • Active Directory
  • DNS
  • Database or file servers containing personally identifiable patient or human subject data.

Application Risk Classification Examples

View Minimum Security Standards.

Low Risk Moderate Risk High Risk

These applications handle Low Risk Data and do not access, store, create or transmit any Moderate or High Risk Data. Examples include:

  • Applications handling Low Risk Data
  • Online maps
  • University online catalog displaying academic course descriptions
  • Shuttle schedules

These applications handle Moderate Risk Data and do not access, store, create or transmit any High Risk Data. Examples include:

  • HR applications storing employee and salary information
  • University Directory
  • Yale Alert – application distributing information in the event of a campus emergency
  • Online applications for student admissions

These applications can access, store, create or transmit High Risk Data. Examples include:

  • Application storing SSNs
  • Application storing campus network node information
  • Application collecting personal information of donor, alumnus, or any other individual.
  • Application that processes credit card payments

Approved Services

This table indicates which classifications of data are allowed on a selection of commonly used Yale University IT Services.

If the application you intend to use is not on the list of approved applications below, the application cannot be used for Moderate or High-Risk Data until a Security Design Review (SDR) has been completed by the Yale Information Security Office. Information about initiating a Security Design Review (SDR) can be found on the ITS Website.

Services Low Risk Moderate Risk High Risk
Audio and Video Conferencing: Zoom (local storage), Skype for Business
Audio and Video Conferencing: Zoom (cloud storage), WebEx, Cisco Meeting Place    
Data Backup: CrashPlan, Storage@Yale
Calendar: Office 365
Calendar: EliApps  
Cloud Infrastructure: ITS AWS Secure/HIPAA Zone*
Cloud Infrastructure: ITS AWS Spinup
Cloud Infrastructure: Microsoft Azure  
Content Management: Drupal, CampusPress (WordPress)    
Database Hosting Service – ITS AWS, ITS Data Center
Database Hosting Platform – SQL, Oracle
Document Management: Box at Yale, EliApps, Office 365 OneDrive  
Document Management: Secure Box, Sharepoint, Storage @ Yale
Email: Office 365 (for internal and YNHH systems), Office 365 (for external with [Encrypt] in the subject line)
Email: EliApps, Google Mail  
Encryption: Bitlocker, FileVault
File Storage: Storage @ Yale, Secure Box
File Storage: Box at Yale, EliApps, O365 OneDrive  
File Transfer: Yale Secure File Transfer
Google Team Drive  
Globus  
Hugo (Personal Health Record System)
Instant Messaging: O365 Skype for Business
IT Service Management: Service-Now
Oncore (Clinical Trials Management System)
RedCap
Survey Tool: Qualtrics
Survey Tool: Survey Monkey, Doodle, Sawtooth    
Voice Messaging: Cisco Unified Messaging    
ITS Virtual Private Network (VPN)

*The AWS HIPAA Zone must be used when dealing with any personally identifiable patient information or human subject data. The AWS Secure Zone is to be used for all other categories of High Risk Data. For questions, please contact helpdesk@yale.edu.