We don't want to overprotect or under protect our Yale IT Systems. Both of those scenarios can waste time, money, and resources. We want to protect our Yale IT Systems based on the risk they carry. Risk classification ensures we protect Yale IT Systems based on their risk. This guideline explains how to classify a Yale IT System as high, moderate, or low.
3 Elements of Risk Classification
We classify Yale IT Systems based on three elements:
- Data Classification
- Availability Requirement
- External Obligations
The highest risk from these three elements = the risk classification of the Yale IT System.
Defining the 3 elements of Risk Classification
Determine how sensitive or confidential the data is.
Evaluate the risk to operations if the IT System becomes unavailable.
Determine if the Yale Data or IT System is subject to any external obligations (e.g. HIPAA, PCI).
Scroll down to "How to determine the risk classification" to learn how to determine the risk of these three elements.
Classifying and protecting Yale's IT Systems
Risk classification determines the appropriate security requirements for a Yale IT System. These security requirements are known as Yale's Minimum Security Standards (MSS). Yale's MSS are baseline security requirements for protecting IT Sytems based on risk. The risk classification of a Yale IT System determines:
- Which Minimum Security Standards are required for the IT System
- Any additional security requirements mandated by external obligations
You need to know your risk classification before you can apply the MSS to your IT System. The higher the risk classification, the more security requirements to apply.
Your role in Risk Classification
Yale requires a very open, dynamic technology environment to deliver the University's mission. This type of environment is the most challenging to protect from cybersecurity threats. We all play a part in classifying and protecting Yale's Data and IT Systems. These roles can help you understand your part in keeping Yale's Data and IT Systems secure.
Yale Data Users (Users)
Yale defines anyone who has access to or responsibilities for Yale Data as a Yale Data User. As a user, you use Yale IT Systems to access, create, store, and transmit Yale Data. As a user, you work with these data and IT Systems to deliver the work you do in support of the University's mission.
What are users responsible for?
Users are responsible for ensuring they work securely. You can ensure you are working securely by:
- Understanding Yale's risk classifications.
- Applying the classifications to the work you do.
- Selecting Yale IT Systems that meet the classification of your work.
Knowing the risk classification of how you use a Yale IT System will help you select the right Yale IT System to use. Communicate your risk classification to your user support providers (see below). They can help you select, purchase, or build a Yale IT System built to match your risk classification.
User Support Providers
Anyone who works to support users with IT-related matters is a user support provider. This is commonly referred to as an IT Support Provider. This group can also include roles like project managers and business analysts. Anyone that helps users to complete the work or projects they do is a User Support Provider.
What are user support providers responsible for?
- Assist users with determining their risk classification when needed.
- See the "How to determine the risk classification" section below to help users determine their risk.
- Help users select a Yale IT System that supports their risk classification.
- For example, if the user’s risk classification is High Risk, they must use a High Risk Yale IT System. User support providers should understand the risk classification process to support their users. They can also refer users to our Approved Services by Risk Classification table.
- Plan for the requirements associated with the risk classification. This is if you are planning for a project or business requirements.
- The risk classification determines which security requirements need to be applied. These are outlined in the Minimum Security Standards (MSS). Consider the resources you need to meet the MSS for the risk classification.
If you own, provide, or introduce a Yale IT System to the University, you are a system decision-maker. System decision-makers are sometimes referred to as the technical owner of a Yale IT System.
What are system decision-makers responsible for?
Classifying the IT System. To classify the IT System consider:
- The three elements of risk classification.
- How the user-base for the IT System intends to use the IT System. For example, if they need your IT System to store High Risk data, the data classification = high risk.
Communicating the classification of the IT System
- If you don't have a specific user base, or even if you do, they need to know the risk classification of your IT System. This ensures users are using your IT System securely. For example, we don't want users putting High Risk data in a system that is classified as moderate. That would mean the High Risk data is not appropriately protected.
Establishing a group of system support providers
- These are the people responsible for configuring the IT System. They configure the IT System to meet and maintain Yale's MSS for the risk classification.
Ensuring the IT System meets and maintains Yale's MSS
- Communicate your risk classification to your system support providers. Ensure they are configuring the system to meet and maintain the MSS for the lifecycle of the system.
System Support Providers
If you build, maintain, or support Yale IT Systems, you are a system support provider. The Yale IT System’s risk classification determines the IT System's security requirements. These security requirements include:
- Yale’s Minimum Security Standards
- Any applicable external obligations.
What are system support providers responsible for?
- Building and maintaining the Yale IT System in alignment with its risk classification.
- This means the system meets and maintains its security requirements. This includes Yale's MSS and any applicable external obligations.
How to determine Risk Classification
This section outlines how to determine the risk classification of a Yale IT System. It provides a step-by-step process to determine the overall risk classification. This includes how to decide on the:
- Data Classification
- Availability Requirement
- External Obligations
The highest risk from these three elements is the risk classification of the Yale IT System.
We provide examples of how to determine the risk classification of sample IT Systems.
A step-by-step guide to risk classification
There are four steps to determining the risk classification of a Yale IT System:
- Determine the data classification.
- Determine the availability requirement.
- Determine if the Yale Data or IT System is subject to any external obligations.
- Determine the risk classification of the IT System.
Step 1: Determine the Data Classification
Steps to determine the data classification include:
- Know all the data in use. This includes any Yale Data the IT System will access, create, store, transmit or receive.
- Determine the highest data classification in use. There are two ways to determine the data classification:
- Align the data types with Yale's Data Classification policy. You can find this information on the policy or in our Data Classification Guideline.
- Take our Data Classification Questionnaire. This questionnaire can also determine common external obligations for the data.
Step 2: Determine the Availability Requirement
The availability requirement evaluates the risk to operations if the IT System becomes unavailable.
The availability requirement is commonly referred to as the Recovery Time Objective (RTO). The definition of availability requirement/RTO is as follows:
Availability Requirement/RTO: the maximum length of time a Yale IT System can be down in the event of a disruption before incurring a significant impact on operations.
Steps to determine the availability requirement include:
- Determine how long your IT System can be unavailable before significantly impacting operations. To figure this out, take the following questions into consideration:
- If the IT System is down, can you access the data another way? If not, the data will be unavailable as long as the IT System is unavailable.
- What is the business or academic function this IT System provides?
- How critical is this business or academic function to my daily work?
- Do we have a backup plan in place? If yes, how long can we function with that backup plan if the IT System were unavailable (e.g. 24 hours, 1 week)?
The answer to the last question should be in hours or days. That time is your availability requirement.
- Align your availability requirement with a risk level using the chart below.
|Availability Requirement||Availability Risk Level|
|0-8 hours||High Risk|
|8:01-24 hours||Moderate Risk|
|> 24 hours||Low Risk|
For more information, visit our Availability Requirement Guideline. This guideline provides details on how and why we determine the availability requirement.
Step 3: Determine External Obligations
Determining external obligations is the third element of risk classification. In this step, you determine if the Yale Data or IT System is subject to any external obligations. this can include legal, regulatory, or contractual requirements. Examples of these include HIPAA, PCI, FERPA (regulatory), and Data Use Agreements (contractual).
Ways to determine if the data/system are subject to external obligations include:
- Visit the External Obligations Guideline. This guideline provides more information on common external obligations at Yale. These are regulatory or contractual obligations that can increase security requirements. Talk to your supervisor or Principal Investigator (PI) if you are unsure if these apply to your data.
- Take Yale’s Data Classification Questionnaire. We mention this in step 1. This questionnaire can determine common regulatory requirements that apply to Yale Data.
Step 4: Determine the risk classification of the Yale IT System
The risk classification of the IT System is the highest risk level derived from steps 1-3. You can determine the risk classification by using the chart below:
|Data classification:||high, moderate, or low|
|Availability requirement:||high, moderate, or low|
|External obligations:||e.g. HIPAA, PCI, FERPA, other|
|Risk Classification:||This is the highest risk level of the three values above.|
Risk Classification examples
View the examples below for more help with determining risk classification.
An IT System is being built for the Yale School of Medicine. This system will store personally identifiable patient data (Protected Health Information – “PHI”). The data cannot be unavailable for more than 1 hour.
|Data Classification:||Personally identifiable patient information is classified by Yale University as High Risk|
|Availability Requirement:||0-8 hours = High Risk|
Note: If the user base didn’t know this, it would be determined by the Data Classification Questionnaire.
|Risk Classification:||High Risk, HIPAA|
Human Resources needs to store employee personnel files in a cloud application. All HRG’s will access these files on a monthly basis. If the system is unavailable, the HRG’s have a backup plan. They will email the personnel files on an as-needed, ad-hoc basis. This backup plan can work for two weeks before having a significant impact on operations.
|Data Classification:||Yale classifies employee personnel information as Moderate Risk|
|Availability Requirement:||Greater than 1 week = Low Risk|
|External Obligations:||Not Applicable|
|Risk Classification:||Moderate Risk|