1610 Systems and Network Security

Responsible Official: 
Chief Information Officer Privacy Officer
Responsible Office: 
Office of the Provost
Effective Date: 
April 20, 2005
Revision Date: 
June 10, 2011

Policy Sections

Scope

This policy establishes IT security requirements for faculty, students, staff, and other individuals who use computing or communications Systems during the course of their work at Yale University. This includes Systems use on-campus as well as from remote locations, such as home, hotels and other off-campus locations.

The mandatory IT security requirements for faculty, students, staff, trainees, and others in Yale’s HIPAA Covered Components are described in HIPAA Security Policy 5100. This Policy 1610 and related procedures do not apply to these individuals. Instead, all faculty, students, staff, trainees, and others in Yale’s HIPAA Covered Components must refer to HIPAA Security Policy 5100 for more information.

Policy Statement

This policy defines University standards for managing computing and communications Systems and access to Yale University’s data network and electronic data resources. All Confidential Information including electronically stored information must be protected in a manor commensurate with its sensitivity, value and criticality; this includes protecting computing and communications Systems containing that data accordingly. Safeguards regarding confidentiality and privacy of Yale information apply equally at on-campus locations and at any remote location. Procedures associated with this policy establish currently appropriate required and best practices for managing computing and communications Systems and network access.

The University may, at any time, change any or all of the conditions under which any individual is granted computing or communications Systems or data network access privileges and may terminate such privileges at any time.

Reason for the Policy

Sound business practice as well as compliance with regulations requires appropriately protecting the confidentiality, integrity and availability of Yale electronic information. The efficiency of conducting Yale business depends on minimizing the impact of information security vulnerabilities.

Definitions

Data Network Access is the use of a communication System to communicate or exchange data among two or more Systems by any means including both wired and wireless network access.

Remote Access is any access to a device on the Yale University data network through a non-Yale controlled network, device, or medium, for example by DSL, cable modem or dial-up connection.

Policy Sections

1610.1 Use and Configuration of Computing or Communication Systems

Any individual who uses a computing or communications System to create, access, transmit or receive Yale related information is responsible for protecting that information in a manner commensurate with its sensitivity, value, and criticality. Appropriate procedures regarding confidentiality and privacy of information are to be followed at all times regardless of location on or off-campus. Appropriate procedures are detailed in the Systems Security procedure referenced below under Procedures.

Damage to, loss, or unauthorized disclosure of any Yale University physical or information assets must be promptly reported to the employee’s immediate supervisor and the cognizant administrative head. Any incident where sensitive data is thought to have been compromised must be reported to the ISO.

Individuals who are granted access to Yale’s Systems including the data network, whether from on-campus or via Remote Access, are responsible for protecting against the loss, damage or compromise of Yale University physical and electronic information assets.

1610.2 Remote Access for Individuals not affiliated with Yale University:

Individuals not associated with the University (vendors/contractors, research collaborators) with remote access privileges must utilize a secure access method. Non-Yale vendors/contractors with Data Network Access privileges must utilize a secure method for access that provides equivalent or better security as that of a University Virtual Private Network connection, and be able to provide documentation of those methods.

Contacts

Please also refer to the comprehensive summary of HIPAA Security Contacts provided within Policy 5100 Electronic Protected Health Information Security Compliance.

Roles and Responsibilities

Office of the Provost
Responsible for University compliance issues including HIPAA

Office of General Counsel
Interprets HIPAA regulations; reviews and approves all HIPAA related contracts including contracts with Business Associates or for research contracts

Chief Information Officer
Individual responsible for planning, development, evaluation, and coordination of University information and technology systems

University Information Security Officer
Individual responsible for overseeing information security and ensuring compliance with security requirements of HIPAA

  • Deputy Privacy Officer, Department of Psychology Clinics

Procurement Office
Identifies Business Associates and ensures appropriate contracts in place

Grants & Contracts Administration
Responsible for negotiating data use agreements and research related contracts.

Institutional Review Boards (HIC, HSC, HSRRC)
Responsible for review and approval of waivers of authorization for research purposes.

Please also refer to the comprehensive summary of HIPAA Security Roles and Responsibilities provided within Policy 5100 Electronic Protected Health Information Security Compliance.