Skip to main content
User guide to MSS

A Yale Data User's Guideline to the Minimum Security Standards (MSS) 

Guide

Every Yale Data User must follow all Yale Information Security policies. Yale Data Users subject to HIPAA must also comply with University HIPAA policies.

We consolidated all current information security policies, procedures, and practices into the Minimum Security Standards (MSS). This includes information security policies related to HIPAA and PCI DSS. The MSS are baseline security requirements for building and maintaining secure IT Systems. As a user, you play a role in securing Yale Data and IT Systems. This page explains what you need to do to apply the MSS and keep Yale secure.

 View the MSS

All Yale Data Users must ensure the appropriate level of security for the data they use. This does not mean we expect you to configure your own IT System to meet the MSS.

What do users need to know about the Minimum Security Standards?

All Yale Data Users must ensure the appropriate level of security for the data they use. This does not mean we expect you to configure your own IT System to meet the MSS.

Technology plays a critical, growing role in how we deliver Yale's mission. Technology plays a role in how we do our research, education, and exchange of free ideas. We refer to the technology we use as Yale IT Systems. Yale IT Systems are any IT Systems that:

  • Access, create, store, or transmit Yale data, and/or;
  • Operate in support of Yale's mission.

As a user of Yale Data and IT Systems, you play a role in securing them. We secure our IT Systems based on two factors:

  • The system type (endpoints, servers, mobile devices, and network printers).
  • The risk classification of how the IT System is being used.

As a user, you need to know the risk classification of your work to work securely. We explain this concept in our Risk Classification Guideline. Once you know your risk classification, you can do one of the following:

  • Use available, secure services that match your risk classification. Find available, approved services by Risk Classification on our Approved Services Table.
  • Communicate your risk classification to your User Support Provider. This is also known as an IT Support Provider. They can help you select, buy, or build a Yale IT System built to match your risk classification.
Know the risk of the work you're doing. Work with your User Support Provider to ensure you're working securely.

How can you help implement the MSS to keep Yale secure?

You can ask several questions to ensure you are working securely.

  • What data are you working with?
  • Is the system you use configured to protect that level of data?
  • What if you're handed new data? Or asked to use a new system? Does it match the classification of your work?

Asking these questions helps to ensure secure work. Ask your supervisor or your user (IT) support provider to help you answer these questions.

Need Help?