Yale Cybersecurity and Business Continuity
Cyber crime can be motivated by financial, political and ethical factors. Taking regular cyber risk assessments and applying best practice advice is the best way to reduce risks and mitigate impacts.
System decision makers are responsible for ensuring that the systems they support meet Yale’s Minimum Security Standards based on the type of system and the risk classification of the work conducted. See our MSS page for details.
Protecting Yale’s Data and IT Systems
Yale uses cybersecurity tools and strategies to protect data and systems from attack. We also partner with you to prevent information security incidents. Together we are “Bee Safe, Not Sorry” and work to keep you and your data secure.
Yale classifies its data and IT Systems into High, Moderate, and Low risk levels. It is important to know your risk level and use services that meet the Minimum Security Standards (MSS) for your classification. See the Risk Classification Guideline for more details.
ISO collects telemetry from Yale endpoints including basic device configuration, installed software and versions, and whether these may be vulnerable to known attacks. This data is used to identify devices on the campus network, identify potential risks to systems, and provide additional information when investigating an information security incident.
Security Planning Assessment (SPA)
Security assessments are rigid evaluation processes that assess a network or information system current state of security by testing it for vulnerabilities. These vulnerabilities can be physical or logical. The process consists of identifying a target and conducting penetration tests on it, finding the vulnerabilities, fixing them, and validating the results.
System security involves assessing the configuration of workstations, servers, and other IT systems to identify any gaps that might permit unauthorized access. Application security focuses on examining software and mobile apps to spot weaknesses like poor input validation, unsafe coding practices, and insufficient authentication.
The SPA process replaces the old Security Design Review process and ensures that Yale IT Systems meet and maintain Minimum Security Standards (MSS). To initiate the process, submit a request via the ServiceNow SPA page.
Minimum Security Standards (MSS)
Cyber attacks can impact business continuity in a variety of ways. The best way to protect your organisation is to have a risk-based approach that focuses security measures on the most critical parts of your infrastructure.
The SPA process helps you plan to operate your IT System securely, and the MSS process checks that you’re using systems that meet our minimum security requirements for your risk classification. It also confirms that you’re working securely if you’re a user, support provider or system decision maker.
Professor Charalampos Papamanthou’s research is on cryptography, computer security, and privacy-preserving information systems. He has done direction-setting work on proof-carrying code, secure and privacy-preserving distributed algorithms, and decentralized trust management. His work is a key part of the foundation for the internet’s security and privacy.
Endpoints
Endpoints are any device or software that connects to a network, such as computers, laptops, mobile phones and printers. Today, the term endpoint is also widely used to refer to any peripheral devices connected to a home or business network, such as smart watches, GPS tracking systems, and even some home appliances.
Effective security requires comprehensive protection across a diverse set of endpoints. A strong endpoint cybersecurity posture enables the enterprise in many ways, including supporting BYOD programs; supporting remote workers during the coronavirus pandemic; and pursuing business-enabling technology projects without fear of negative security surprises.
A powerful endpoint security solution will prevent known and unknown malware and exploits; detect and mitigate threats; enable users to work safely by finding systems that match their risk level; and incorporate automation to reduce team workloads. Click to learn more about Palo Alto Network’s approach and solutions for securing endpoints.
Vendor-Hosted IT Systems
Many healthcare facilities utilize vendor hosted IT systems for remote access to patient records and other functionality. This is a convenient option that can be beneficial if you work with established vendors with excellent internet connections and diligent backup features, but it does put your data at risk if something goes down at the vendor site.
Yale’s security teams found that whoever breached their systems had taken information that included names, Social Security numbers and dates of birth from many of its students, even though the university had stopped using those numbers as identifiers a decade ago. To combat that threat, the school is requiring all students to enroll in multifactor authentication when they’re outside the Yale network, such as at a coffee shop or off-campus apartment.