Yale's Minimum Security Standards
The Minimum Security Standards (MSS) are how we protect Yale IT Systems based on risk. The MSS helps us address Yale's risk landscape and deliver the Yale mission securely.
Everyone plays a role in understanding and applying the MSS at Yale. To do this, you'll need to:
- Know what the Minimum Security Standards (MSS) are.
- Know the risk of the work you do.
- Know your role in implementing the MSS.
View Yale's Minimum Security Standards
The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS ensures we build and maintain secure Yale IT Systems based on the risk they carry.
You can view the MSS in one of three ways:
MSS Download
Download the full list of Minimum Security Standards in CSV format. Please allow a few minutes for the download to complete.
When do the MSS apply?
A Yale IT System is any IT system that uses Yale data and/or operates in support of Yaleâs mission. This includes:
- The laptop, desktop, tablet, or mobile device you use to complete your work for Yale.
- The software and applications you use to access, store, or send your work for Yale.
- IT Systems hosted at Yale (i.e. built and ran by Central IT or a department)
- IT Systems hosted by a third party (i.e. cloud applications, third-party services).
- All environments that access Yale data. If real Yale data is being put in development or test environments, those environments must meet the MSS.
How do the MSS work?
The MSS are baseline security requirements for all systems accessing Yale Data. We apply the Minimum Security Standards based on:
- the type of system youâre working with, and
- the risk level of the work you are doing (a.k.a. risk classification)
System Type
To apply the MSS to what youâre doing, you need to determine what system type you are working with. The MSS requirements apply to four system types:
System Type | Definition | Examples |
---|---|---|
Endpoint | An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. | Desktops, laptops, POS Terminals |
Server | A server is a computer that processes requests and/or delivers data to other computers. A server processes requests or delivers data over the network it connects to. Servers share network resources with endpoints. | Web, file, email, and database servers including virtual machines and containers running at Yale or in cloud providers like AWS, GCP, Azure. |
Mobile Device | A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoint. | Smartphones, tablets |
Network Printer |
A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. Note: This does not include personal printers. Personal printers process print jobs through a physical connection to an endpoint. |
Papercut Printers |
Some Yale IT Systems are too complex in nature to solely rely on the MSS for their security requirements. We refer to these system types as âCritical IT Infrastructureâ. The definition and requirements of Critical IT Infrastructure are found in Yale-MSS-1.4.
Know Your Risk / Risk Classification
The second factor for applying the MSS is the risk of the work youâre doing. We refer to this as âKnow Your Riskâ or ârisk classificationâ. Yale has three risk classification levels: high, moderate, and low. Risk classification is determined by:
- The risk level of the data youâre working with. This is based on Yaleâs Data Classification Policy.
- How long you can be without the data or system to do your work (a.k.a. availability requirement).
- If the data is subject to any external obligations (e.g. HIPAA, PCI).
For more information on finding your risk level, see our Risk Classification Guideline.
Once you know your system type and risk classification, you know which Minimum Security Standards you must meet.
Examples
If you are using your laptop to access Yale data...
You know you have to meet the MSS for endpoints. You also need to meet the MSS for the risk of the work you are doing. So, for example, if you are using your laptop to access financial data, you are working with High Risk data. Your laptop would need to meet the High Risk MSS for endpoints.
If you are building an application to store Yale data...
You know you must meet the MSS for servers. You also need to meet the MSS for the risk of the data being stored. So, for example, if the application will be used by a researcher to store publicly available research data, the application needs to meet the Low Risk MSS for servers.
What is my role in applying the MSS at Yale?
What you need to know is based on how you interact with Yale Data and IT Systems. We have chosen the following roles for implementing the MSS. You can be one, some, or all these roles depending on how you work at the University.
Once you know your role, choose the corresponding guideline to help you apply the MSS at Yale.
Role | Description | Guideline |
---|---|---|
Users |
Users are anyone who works with Yale Data or IT Systems. Users must know the risk of the work they are doing and use systems that meet the MSS for that risk level. |
MSS for Users and User Support Providers |
User Support Provider |
A user support provider is someone who helps users with IT or Information Security issues. This includes anyone who identifies their role as an IT Support Provider. User support providers help users work securely by helping them find systems that match their risk level. |
MSS for Users and User Support Providers |
System Decision Maker |
A system decision maker is the person responsible for the technical delivery of a Yale IT system. System decision makers are also known as the technical owner of systems. System decision makers are responsible for ensuring their system meets the Minimum Security Standards based on the system type and risk level. |
Applying the MSS to IT Systems |
System Support Provider |
A system support provider is someone who provides support to a Yale IT system. This can be anyone who builds, hosts, or maintains a Yale IT System. System support providers are the ones configuring the system they support to meet the MSS. |
Applying the MSS to IT Systems |
MSS Resources
Below is a collection of resources to help you understand and apply the MSS at Yale.
MSS for Users and User Support Providers
This page helps users understand how Yaleâs Minimum Security Standards (MSS) apply to their everyday work at Yale.
Applying the MSS to IT Systems
This page explains how to read, understand, and apply the Minimum Security Standards (MSS) to a system.
MSS Key
Once you know your system type and classification, use the key to know which MSS apply to your IT System.
MSS Calculator
The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System.
Full MSS List
The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems.
Know Your Risk Toolkit
When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.