Skip to main content
MSS Landing Page

Yale's Minimum Security Standards (MSS)

The Minimum Security Standards (MSS) are how we protect Yale IT Systems based on risk. Everyone plays a role in understanding and applying the MSS.  To help you navigate the MSS, this page includes three key sections: 

  1. Understanding the MSS - what are they and how do they apply to me? 
  2. Applying the MSS - if you are someone that needs to apply the MSS to an IT System, read this to understand how they apply. 
  3. Viewing the MSS - view the complete list or filter them down to the standards that apply to you. 
MSS User

Understanding the Minimum Security Standards (MSS)

As a member of the Yale community, you have access to Yale Data and Yale IT Systems. You either use Yale IT Systems or support them. Either way, you need to: 

  • Know what the Minimum Security Standards (MSS) are.
  • Know the risk of the work you do. 
  • Know your role in implementing the MSS. 

What are the MSS? 

The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS ensures we build and maintain secure Yale IT Systems based on risk.  You can view the MSS in one of two ways: 

  • View a complete list of the MSS. This is a consolidated list of all of Yale's security requirements. These requirements come from Yale's current security policies, procedures, and practices. 
  • Narrow the MSS down to the requirements for your IT System using the MSS Calculator. 

View Complete MSS   View the MSS Calculator  

Don’t know what risk classification is or how it applies to you? Read the Risk Classification Guideline before continuing on this page.

How do I know the risk of the work that I do? 

The MSS applies to different system types based on their risk classification. You need to know the risk classification of the work you do or the system(s) you support.

Read the Risk Classification Guideline

What is my role in implementing the MSS? 

We understand there is a lot to know about the Minimum Security Standards. What you need to know is based on how you interact with Yale Data and IT Systems. We have chosen the following roles for implementing the MSS. You can be one, some, or all of these roles depending on how you work at the University. 

mss roles

Users and User Support Providers

Users and User Support Providers do not play a role in building or maintaining Yale IT Systems to meet the MSS. Users need to ensure the Yale IT System(s) they use matches the risk classification of the work they do. User Support Providers should understand risk classification to help users make this match. 

Users and User Support Providers do not play a role in building or maintaining Yale IT Systems to meet the MSS. Helpful resources for understanding risk classification and how it applies to them include: 

System Decision Makers and System Support Providers 

If you provide or support Yale IT Systems, the information below is for you. Your responsibility is to understand and apply the MSS to the Yale IT System(s) you provide or support.  The MSS should be applied based on the risk classification of the IT System(s) you support. 

Who decides the risk classification of the IT System(s) you support? 

The System Decision Maker decides the classification of the IT System. The IT System should be classified based on how it is used or how it will be used. As a System Decision Maker, you do not have to make this decision blindly.  You can work with the user-base or other key stakeholders to classify the IT System based on how it is used. 

What about third-party/cloud services? 

Anyone using a third-party service (e.g. cloud service) for Yale Data must ensure the MSS can be applied. Work with the service provider to apply the MSS before purchasing or using the service.

System support provider applying the MSS to a web application.

Applying the Minimum Security Standards (MSS) 

The MSS are applied to Yale IT Systems based on: 

  • System type 
  • Risk classification 

You can use the MSS Calculator to chose your system type and risk classification. This will show you the requirements that apply to your IT Systems. 

System Type

Determine your system type to understand which standards apply to your Yale IT System. The MSS outlines requirements for the following system types: 

System Type Table
System Type Definition Examples
Endpoint  An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. Desktops, laptops, POS Terminals
Server A server is a computer that processes requests and/or delivers data to other computers. A server processes requests or delivers data over the network it connects to. Servers share network resources with endpoints.  Web servers, file servers, database servers, email servers
Mobile Device A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoint. Smartphones, tablets
Network Printer

A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. 

Note: This does not include personal printers. Personal printers process print jobs through a physical connection to an endpoint. 

Papercut Printers

Critical IT infrastructure

Some Yale IT Systems are too complex in nature to solely rely on the MSS for their security requirements. We refer to these systems as “Critical IT Infrastructure”. The definition and requirements of Critical IT Infrastructure are found in Yale-MSS-1.4

Internet Accessible Systems

Internet-accessible systems allow connections from the public internet. This presents more risk to the IT System. As a result, more security requirements apply. The definition and requirements for Internet Accessible systems are in the MSS Key.

risk classification

Risk Classification

The risk classification of an IT System determines which Minimum Security Standards apply. The Risk Classification Guideline will help you determine if your Yale IT System is:

  • high, moderate, or low risk, and
  • subject to any external obligations 

External Obligations and the MSS

The Minimum Security Standards are baseline requirements for typical Yale IT Systems. The MSS includes overlays for regulatory obligations that often apply at Yale. Currently, the MSS has an overlay for additional HIPAA and PCI security requirements. The definition and requirements for systems subject to HIPAA and PCI are in the MSS Key.

User viewing the MSS on their laptop

Viewing the Minimum Security Standards (MSS)

  • View a complete list of the MSS. This is a consolidated list of all of Yale's security requirements. These requirements come from Yale's current security policies, procedures, and practices. 
  • Narrow the MSS down to the requirements for your IT System using the MSS Calculator. 

View Complete MSS   View the MSS Calculator  

Both of these use the MSS Key, outlined below. 

Reminders for Applying the MSS: 

  • All Yale IT Systems must meet and maintain the Yale MSS throughout the system's lifecycle. This includes all environments of the Yale IT System (dev, test, prod) that access Yale Data. This also includes IT Systems hosted by Yale or by a third party on behalf of Yale. 
  • Systems subject to external obligations may require additional security measures. These are dependent on the specifics of the contractual or regulatory obligation. These security requirements are not represented in the MSS outside of HIPAA and PCI.

MSS Key

Once you know your system type and classification, use the key to know which MSS apply to your IT System. These symbols show which security requirement applies to which system type and application.

MSS Key
Symbol Meaning
Required The "required" tag marks standards currently required for that system type and classification. 
Upcoming     
The "upcoming" tag marks standards that are future requirements. Any standard marked as "upcoming" will be required soon. The MSS lists these upcoming requirements for budget planning for the IT System. 
Not Required The "Not Required" tag indicates the standard is not required for that system type and classification. 
Required FoR IA

The "IA" tag indicates a current requirement for Internet Accessible IT Systems. 

Internet Accessible (IA) systems allow connections from the public internet without an additional layer of protection such as a Virtual Private Network (VPN) or an authenticated Web Application Proxy (WAP). IT Systems behind a Web Application Firewall (WAF), un-authenticated proxy, or load balancer are Internet Accessible (IA) if the front-end IP is itself accessible from the internet.

ReQUIRED FOR HIPAA

    
The "HIPAA" tag indicates a current requirement for IT Systems subject to HIPAA. If the Yale IT System is subject to HIPAA, it must apply all MSS marked as required for high risk and HIPAA.

Any standard marked with "HIPAA" is currently required by University HIPAA Policy. These security requirements ensure compliance with the HIPAA Security Rule. 

Required for PCI

The "PCI" tag indicates a current requirement for IT Systems subject to PCI. If the Yale IT System is subject to PCI, it must apply all MSS marked as required for high risk and PCI. 

Any standard marked with "PCI" is currently required by Yale to ensure compliance with PCI DSS. PCI DSS is the Payment Card Industry Data Security Standard. 

Need help? 

  • For questions or concerns about the MSS, email information.security@yale.edu. We encourage feedback on the MSS to help us enhance future versions. 
  • If your IT System can't meet one or more of these standards, an exception request is required 

Submit an Exception Request   Email Information Security