Security Planning Assessment (SPA)

Security is everyone’s responsibility. Use the SPA process to define your plan to operate secure IT Systems.

What is a SPA?

The Security Planning Assessment (SPA) is Yale’s process to highlight and manage cybersecurity risk through compliance with the Minimum Security Standards (MSS).

When is a SPA required?

A SPA is required for all IT Systems accessing Yale data or operating in support of Yale’s mission.

For on-premises systems:

  • Yale must meet and maintain the MSS. This is done through an MSS Review.
  • For the purposes of the SPA, on-premises systems include systems run by Yale in cloud providers such as Amazon AWS, Google GCP, or Microsoft Azure.

For vendor hosted solutions:

  • Do not review the MSS for the vendor or send it to them.
  • We will work with you to have the vendor complete a Third-Party Risk Management (TPRM) assessment.
  • You only need to complete an MSS review for the MSS Yale is responsible for.

Who should complete a SPA?

Anyone can request a SPA. However, the three phases of a SPA are technical in nature. If you are not someone who understands the technical details of cybersecurity requirements, you will need to work with your IT Support Provider to successfully complete the SPA process.

The three phases to completing a SPA

Reminder: The SPA is technical in nature. If you do not know how to configure systems to meet the MSS, please work with your IT Support Provider to complete the SPA

  • Request

    Request a SPA and meet with the Information Security Office to understand requirements.
    Phase 1

  • Review

    Complete your MSS Review to address your system's security requirements.
    Phase 2

  • Assess

    Finalize the SPA with the information Security Office through system-specific requirements.
    Phase 3

Phase 1: Request

1. Request a SPA using the SPA Request Form.

2. Attend a brief meeting with the Information Security Office (ISO) to:

  • Review the SPA process and ask questions.
  • Classify the system’s risk (Low, Moderate, or High).
  • Review Yale's AI Guidelines for Staff and submit an AI Project Request if applicable
  • Identify a Third-Party Risk Management (TPRM) contact (vendor-hosted solutions only)
    • Vendors complete their own questionnaire — do not fill it out for them.
  • Next steps will be outlined at the end of the meeting, including IT Support contacts for help completing the MSS review.

Phase 2: Review

Complete your MSS Review. A few reminders:

  • This should be done by someone who understands how to configure systems to meet the MSS. If you do not understand these technical details, please work with your IT Support Provider to help you complete the MSS review.
  • For on-premises systems:
    • Complete the MSS Review.
    • For the SPA, on-prem systems include systems run by Yale in cloud providers such as Amazon AWS, Google GCP, or Microsoft Azure.
  • For vendor hosted solutions, the security responsibility is shared with the vendor. Review the “Notes on vendor-hosted solutions” below.
    • Do not review the MSS for the vendor or send it to them.
    • You only complete an MSS Review for the MSS Yale is responsible for.
    • We will work with you to have the vendor complete a Third-Party Risk Management (TPRM) assessment.
       

  • Keep in mind that you only need to review the MSS that Yale is responsible for. Security controls that are the vendor's responsibility will be handled by Third-Party Risk Management (TPRM), and you need not worry about them.

    As you review the MSS, if a vendor is responsible for a security control, you can skip it. For example, physical security is an obvious vendor responsibility. If a vendor is hosting your system, they are responsible for physical security.

    Responsibility will vary from vendor to vendor - read the MSS and determine who is responsible for what.

    Some typical items that Yale would be responsible for in a vendor-hosted system may include:

  • Qualifying the system with matching security baseline requirements is essential.

    The suggested approach to reviewing the MSS is:

    1. Use the MSS Calculator to generate the relevant requirements for the target system. The MSS Calculator will generate a CSV list of the requirements based on the system’s type, risk classification, and external obligations.
    2. Review the requirements to determine which are applicable to the IT System. An example of a requirement which may not be applicable is training for third parties (YALE-MSS-11.2). If only Yale users use the system, this requirement does not apply.
    3. Submit MSS exception requests for the requirements that are not being met.

    Please do not send the MSS to vendors.

    A tool we provide for completing the MSS Review is the MSS Review Workbook. This workbook is just one way to manage the information involved in an MSS review. Other approaches are certainly possible! There is no obligation to share this workbook with the Information Security Office.

Phase 3: Assess

Work with the Information Security Office (ISO) to finalize the SPA process. This is based on your completed MSS Review from Phase 2.

Please note that the final phase of the SPA process depends on the IT System’s risk classification and type.  If the IT System is Low Risk, the ISO may determine that this phase is not needed.

During the Assessment phase, you will:

  • Provide an attestation regarding the IT System’s adherence to the MSS.
  • Work with ISO to:
    • Complete the exception request process, if necessary.
    • Remedy vulnerabilities identified as part of the vulnerability scanning process (for systems installed onsite or in a Yale-owned/contracted space). 
       

Frequently Asked Questions

  • Completing a SPA ensures IT Systems meet the MSS and operate securely. The MSS help secure Yale’s cybersecurity footprint and the delivery of its mission.

    Preparing for and completing the SPA process is also an opportunity to:

    • Review your plan to meet and maintain the MSS for the IT System.
    • Contribute to a registry of IT Systems used for security testing.
    • Identify and understand the risks the IT System brings to the University.

  •  

    Request a SPA when any of the following conditions apply:

    • A new Yale IT System is being built or purchased.
    • An existing IT System has not completed the SPA process.
    • A significant change to hardware, software, hosting provider, or risk classification is made to an existing IT System which has a completed SPA.
    • When sufficient time has passed since an IT System’s last SPA:
      • 2 years for High Risk systems
      • 3 years for Moderate Risk systems
      • 4 years for Low Risk systems

  • Anyone can request a SPA. However, the three phases of a SPA are technical in nature. If you are not someone who understands IT and cybersecurity issues, work with your IT Support provider to complete the SPA process.

  • The length of time that it takes to complete a SPA depends on a number of factors. A SPA cannot be finalized until:

    • MSS Review is complete.
    • Exception requests are processed.
    • Third-Party Risk Management (TPRM) assessment is complete (for vendor-supported systems).
    • Business Associate Agreement and/or the Data Addendum is executed (for vendor-supported systems).
    • Vulnerability scans and remediation are complete.
    • MSS attestation is provided.

  • The ISO cannot complete the MSS Review of an IT system. This is the responsibility of the individual who initiates the SPA. We are happy to assist and answer questions.

  • The ISO performs the following roles in the process:

    • Guides SPA initiators through the process.
    • Answers specific questions related to the MSS.
    • Performs the third-party risk assessment (for vendor-hosted systems).
    • Completes vulnerability scans (for onsite systems).
    • Guides individuals through the exception request process.

  • The ISO has published guidelines on data classification and risk classification. Questions about how data should be classified according to the established guidance should be brought to the data owner for the IT System.

Need more help?

Supporting resources for completing the SPA: 

For additional questions about the SPA, please email information.security@yale.edu.