Minimum Security Standards

These standards are intended to reflect the minimum-security configurations necessary for devices that create, access store or transmit Yale data. Devices should be configured in accordance with the highest data classification used on the device.

Every data user is responsible for ensuring the appropriate level of security for the data they use. More information on this requirement can be found in Procedure 1604 PR.01. Additionally, any Data User creating, accessing, storing or transmitting personally identifiable patient information or human subject data is required to comply with the Yale University HIPAA Policy 5100.

Please note that these standards will be revised and updated accordingly to ensure and compliance with current cybersecurity best practices.

Endpoint Security Configuration | Additional For Server Computers | Mobile Devices | Network Printer Security Configuration | Critical IT Spaces

Endpoint Security Configuration

Whole Disk Encryption Required Required Recommended
No Administrative Privileges Required Required Recommended
Device/System Registration Required Required Recommended
Use Private IP Address Required Required Recommended
Use Only Supported Operating Systems Required Required Required
Patching/Updates Installed within 30 days of release
*automatic patching recommended*
Required Required Required
Anti-Virus/Endpoint Protection Installed & Active Required- Managed AV Required- Managed AV Required
Enrollment in Enterprise Active Directory Required Required Recommended
Use Enterprise Authentication Required Required Recommended
Automatic Network Backup Required Required Recommended
Inactivity Lock Required – 15 minutes Required – 30 minutes Recommended – 1 hour or less
Don’t use applications considered harmful (e.g. P2P) Required Required Recommended
Do use approved External Messaging Applications Required Required Recommended
Procurement - Buy Yale Managed Computers Required Required Recommended
Physically secure (locks, etc.) Required Required Recommended
Have Professionally Managed Required Required Recommended

Additional for Server Computers

Security Control High Risk Data Moderate Risk Data Low Risk Data
Configure using CIS Security Standards Required Required Required
Security Design Review (SDR) Required Required n/a
Separate web, database and file service functions by server Required Required Recommended
Professionally Managed by ITS or ITS-approved system admins Required Required Recommended
Physically Secure in ITS or ITS-Approved Data Centers Required Required Recommended
Secure on Yale ITS data center administered or approved fire- walled networks. Required Required Recommended
Use Web Applications Firewall Required Required Recommended
Access to data requires MFA Required Recommended Recommended
Data files require encryption Required Recommended Recommended

Mobile Devices (smartphones, tablets)

Security control High Risk Data Moderate Risk Data Low Risk Data
Lock with a password or PIN Required Required Recommended
Encrypt the device Required Required Recommended
Limit stored e-mail messages to 200 msgs or 14 days of msgs Required Required n/a
Use Yale approved apps Required Required n/a
Manufacturer Supported Operating System Required Required Required
Must have remote wipe capability in the event of a lost or stolen device  Required Required Recommended
No tampering with device (“Jail breaking”) Required Required

Required for Yale owned mobile devices
Recommended for personally owned devices

Network Printer Security Configuration

Security Control High Risk data Moderate Risk data Low Risk data
Use Private IP Address Required Required Recommended
Whole Disk Encryption Required Required Recommended
Enable Private Printing Required Required Recommended
Set Strong Administrative Password Required Required Required
Device Registration Required Required Recommended
Manufacturer supported Operating System Required Required Required
Patching/Updates Installed within 30 days of release
*automatic patching recommended*
Required Required Required
Disable Unnecessary Services Required Required Required
Use HTTPS:// When Accessing via Web Browser Required Required Recommended
Maintain these standards throughout the printer’s lifecycle Required Required Required

For more details on the Minimum Security Standards configurations, view this PDF.

Critical IT Spaces 

All Critical IT Spaces are required to meet the Minimum Physical Security Standards for Critical IT Spaces

Critical IT Spaces are defined as any area that contains Critical IT Infrastruture. Critical IT Infrastructure can contain low, moderate, or high risk data and is defined as any IT System that meets the following criteria: 

  • An IT System that unrelated IT systems have a dependency on, and/or 
  • An IT System that is complex or specialized in nature and needs special protections beyond Yale’s Minimum Security Standarsd. 

All Critical IT Infrastructure is designated by Yale’s Chief Information Security Officer. Any questions regarding the designation of Critical IT Infrastructure or if an area is considered a Critical IT Space should be directed to