Secure Computing

Data and Information Classification @ Yale University

Levels of data security at Yale

Good data security is about more than confidentiality - we also want to protect our academic and business data against loss due to accident or technical problems.
Yale has created a classification system that divides Yale Data into three types, depending on their importance, sensitivity, and potential for misuse:

A.  High Risk Data

Yale Data are classified as High Risk if (i) they could be exploited for criminal or other wrongful purposes and Yale is obligated by statute or regulation to keep them confidential; (ii) Yale is contractually obligated to keep them confidential; (iii) they identify an individual and would customarily be shared only with the individual’s family, doctor, lawyer, or accountant; or (iv)

Examples:

  • Personally identifiable patient and human subject information
  • Social Security, driver’s license, and passport numbers
  • Credit card and bank account numbers
  • Export controlled information under U.S. laws
  • Confidential information about Yale donors
  • Databases used for payroll, tax, health care, and other critical functions
  • Information pertaining to animal research protocols and researchers

Related Policies and Procedures

B.  Moderate Risk Data

Yale Data are classified as Moderate Risk if they are not High Risk and (i) they are not available to the public; or (ii) the loss of their confidentiality, integrity, or availability could cause limited harm to Yale’s mission, safety, finances, or reputation.

Note: if any data in a dataset or file contain data attributes or combinations of attributes that are defined as High Risk, the data set must be treated as High Risk.

Examples:

  • Unpublished research data
  • Student and applicant data
  • Employment applications and personnel files
  • Non-public contracts
  • Internal memos and email, non-public reports, budgets, plans, and financial information
  • Engineering, design, and operational information regarding Yale infrastructure

Related Policies and Procedures

Visit https://your.yale.edu/policies-procedures or email it.compliance@yale.edu

C.  Low Risk Data

Yale Data are classified as Low Risk if they are not Moderate or High Risk and (i) Yale chooses or is required to disclose them to the public, or (ii) the loss of their confidentiality, integrity, or availability would cause no harm to Yale’s mission, safety, finances, or reputation.
Examples:

  • Information that Yale has made available to the public on its website
  • Policy and procedure manuals designated by Yale as public
  • Job postings
  • Yale directory information not designated by the individual as "private"
  • Information in the public domain
  • Publicly available campus maps

 Guidelines for securing Low Risk Data