New Minimum Security Standards (MSS) V2

New MSS V2

Effective Date: September 9, 2019 - Present 

The New MSS V2 only applies to IT Systems administered by Yale Information Technology Services (Yale ITS). All other IT Systems hosting Yale data are required to follow the current set of Minimum Security Standards that outline the security controls required for high, moderate, and low risk data.

The New MSS enhances the current University Minimum Security Standards by:

  • Providing detail on how to achieve the security controls
  • Consolidating all current security Policies, Procedures, and Practices into one place
  • Creating a mechanism to list upcoming security requirements so that they can be budgeted and planned for

What has changed from V1 to V2?

Below is a description of the changes made between Updated MSS V1 and this current version of the Updated Minimum Security Standards (MSS V2). 

Additions:

  • YALE-MSS-2.2: Determine if the system is considered Critical IT Infrastructure 
  • YALE-MSS-10.5: Ensure administrative and service account credentials (username/password) are not shared 

Updates: 

  • YALE-MSS-3.1 is now only required for high risk servers 
  • YALE-MSS-5.1 now includes detailed requirements 
  • YALE-MSS-9.2 was changed to read “Ensure user account credentials (username/password) are not shared. This requirement is now current state. 

Why create New Minimum Security Standards?

The New MSS is the first attempt at providing more detail so that anyone responsible for building and maintaining Yale IT Systems fully understand their security requirements. Utilizing this set of Minimum Security Standards when building and maintaining an IT System will result in the system passing through the Security Design Review and any other security audits or assessments efficiently.  

This format also allows for future security requirements to be rolled out at a pace that allows time for budgetary and resource planning. This is critical for security to ensure that our baseline of controls keeps up with the dynamic world of cybersecurity. This is critical for those who own and maintain the IT system to be able to plan for the necessary resources needed to meet the upcoming requirements.

Who will the New Minimum Security Standards apply to? 

As of July 2019, these new Minimum Security Standards will apply to all IT Systems administered by Yale Information Technology Services (ITS). All IT Systems are required to follow the MSS For the system’s classification. To ensure the appropriate standards are being met, ensure the system has been properly classified according to the Classifying and Protecting Yale IT Systems guideline.

The goal is to eventually utilize this MSS University-wide. However, systems not administered by Yale Information Technology Services (ITS) are only required to use the current University Minimum Security Standards

Providing Feedback

If you want to play a role in shaping what the New MSS will look like for the University-wide implementation, please start by providing feedback on Version 1. It is important that we receive feedback on this first version so that we can correct any mistakes before rolling this out to the broader community. We are looking for feedback that includes, but is not limited to the following: 

  • Are there any controls on this list that you do not feel are current state?
  • Are there any controls on this list that do not make sense and need more detail?
  • Is there anything that we currently do for security that is not represented as a standard on this first version? We want to ensure that all current policy, procedures, and practices are represented on this first version.

Please provide all feedback to information.security@Yale.edu.

Applying the New Minimum Security Standards 

All Yale IT Systems are required to meet and maintain the MSS for the system’s classification. To ensure the appropriate standards are being met, ensure the system has been assigned the proper risk level using the Classifying and Protecting Yale IT Systems guideline.  

Once the system’s classification has been identified, the ITS Minimum Security Standards divides IT Systems into two system types: endpoints and servers. 

An endpoint is a computing device that communicates back and forth with a network to which it is connected. This computing device does not host any network resources for other endpoints to connect to. Examples include: desktops, laptops, smartphones, tablets, workstations, POS terminals. 

A server is a computing device designed to process requests and deliver data to another computing device over the network to which it is connected. This computing device shares network resources with endpoints. Examples include: web servers, file servers, database servers, email servers, identity servers. 

The ITS Minimum Security Standards identifies required standards for high, moderate and low risk IT Systems using the following key: 

Symbol Meaning
x Any Minimum Security Standard marked with “x” means that standard is currently required for that system type and classification.
o Any Minimum Security Standard marked with “o” means that standard is an upcoming requirement for that system type and classification. This control is not currently required, but should be considered for future planning and budgeting for the IT system. 
HIPAA Any Minimum Security Standard marked with “HIPAA” means that standard is required by University HIPAA Policy to comply with the HIPAA Security Rule. If the IT System is subject to HIPAA, it must follow all Minimum Security Standards marked for high risk and marked for HIPAA. 
PCI Any Minimum Security Standard marked with “PCI” means that standard is required to comply with the Payment Card Industry Data Security Standards (PCI DSS). If the IT System is subject to PCI DSS, it must follow all Minimum Security Standards marked for high risk and marked for PCI. 
PBIP Any Minimum Security Standard marked with “PBIP” is required for any system that must remain public facing for a busines sort academic function.  If the IT System is on a public IP address, it must follow all Minimum Security standards for its system classification, as well as the ones marked for PBIP. 

Minimum Security Standards (MSS) V2

Click here to download the complete Minimum Security Standards (MSS) V2

YALE-MSS-1: inventory the system
YALE-MSS-Subcategory

Low Risk

Endpoint

Mod Risk

Endpoint

High Risk

Endpoint

Low Risk

Server

Mod Risk

Server

High risk

Server

YALE-MSS-1.1: Set the security perimeter         x x
YALE-MSS-1.2: Plan for meeting and maintaining the security requirements x x x x x x
YALE-MSS-1.3: Identify the system’s primary security contact o o o o o o
YALE-MSS-1.4: Maintain and inventory all hardware and software so it is up to date     x   x x
YALE-MSS-1.5: Move all components to a private IP address x x x x x x
YALE-MSS-1.6: Produce architectural diagrams         o x
Yale-mss-2: know the security requirements for the system
Yale-mss-subcategory

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-2.1: Classify the IT System and meet the MSS  x x x x x x
YALE-MSS-2.2: Determine if the system is considered Critical IT Infrastructure            
YALE-MSS-2.3: Comply with all external security requirements  x x x x x x
YALE-MSS-2.4: Ensure third party contracts are in place when required        x x x
YALE-MSS-2.5: Plan for data recovery requirements        x x x
YALE-MSS-2.6: Document and test DR Plans       x x x
YALE-MSS-2.7: Ensure a valid policy exception request is filed when a MSS cannot be met x x x x x x
Yale-MSS-3: Physically Secure the system
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-3.1: Physically secure Critical IT Spaces          x x
YALE-MSS-3.2: Physically secure the system      x     x
YALE-MSS-3.3: Physically secure the system to comply with the HIPAA Security Rule     HIPAA     HIPAA
YALE-MSS-4: Securely configure hardware and Software
mss description

low risk-

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-4.1: Utilize an industry standard secure configuration standard   x x   x x
YALE-MSS-4.2: Utilize file integrity & configuration checking tools      PCI     PCI
YALE-MSS-4.3: Utilize an Anti-Virus solution x x x x x x
YALE-MSS-5: Use Supported software throughout the system’s lifespan
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-5.1: Run supported operating systems x x x x x x
YALE-MSS-5.2: Run supported software x x x x x x
YALE-MSS-6: Actively apply security patches
MSS DESCRIPTION

LOW RISK

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-6.1: Ensure timely security patches are routinely and actively applied x x x x x x
YALE-MSS-6.2: Implement an emergency patch process PBIP

o

PBIP

o

PBIP

PBIP x x
YALE-MSS-7: Protect the data
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-7.1: Back Up user-level and system-level data   x x   x x
YALE-MSS-7.2: Encrypt all electronic storage devices   x x   x x
YALE-MSS-7.3: Actively ensure devices with covered data are encrypted     HIPAA      
YALE-MSS-7.4: Sanitize systems before re-use or disposal    o x   o x
YALE-MSS-7.5: Ensure there is no unencrypted traffic outside of the Yale University Network      x     x
YALE-MSS-7.6:  Purge data once it is no longer required   x x   x x
YALE-MSS-7.7: Utilize host Data Loss Prevention (DLP)     HIPAA      
YALE-MSS-7.8: Utilize screen locks for systems    x x   x x
YALE-MSS-7.9: Store servers hosting Yale Data within the United States          x x
YALE-MSS-8: Develop and Maintain secure software and applications
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-8.1: Implement secure SDLC practices when deploying software and applications      

o

PBIP

o

PBIP

YALE-MSS-9: Manage access to the system
MSS description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-9.1: Ensure all account types are uniquely identified and authenticated    x x   x x
YALE-MSS-9.2: Ensure account credentials (username/password) are not shared  x x x x x x
YALE-MSS-9.3: Utilize secure passwords for authentication x x x x x x
YALE-MSS-9.4: Grant privileges to IT Systems and data according to the principle of least privilege      o   o

o

PBIP

YALE-MSS-9.5: Deprovision accounts and access when roles and responsibilities change  x x x x x x
YALE-MSS-9.6: Require Multifactor Authentication (MFA) for remote user access to CAS (SSO) and VPN x x x x x x
YALE-MSS-9.7: Require Multifactor Authentication (MFA) for all user access    o o   o o
YALE-MSS-9.8: Require Multifactor Authentication (MFA) for use of University credentials, VPN, or email o o o o o o
YALE-MSS-9.9: Require web applications using Yale NetID credentials to utilize the University’s approved Single Sign On (SSO) method x x x x x x
YALE-MSS-9.10: Secure and/or limit storage of plain text authentication information - do not store passwords in the clear          x x
YALE-MSS-9.11: Allow only encrypted network protocols for authentication  x x x x x x
YALE-MSS-9.12: Implement technical controls to prevent Brute Force attacks from successfully authenticating     o     o
YALE-MSS-10: Control the use of administrative and service accounts 
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-10.1: Grant administrative privileges for routine IT functions/responsibilities only    x x   x x
YALE-MSS-10.2: Use administrative and service accounts for their IT function(s) only    o o   o o
YALE-MSS-10.3: Ensure authentication events are associated with an individual and not just an administrative or service account PBIP PBIP PBIP PBIP

o

PBIP

o

PBIP

YALE-MSS-10.4: Eliminate shared service accounts across unrelated systems x x x x x x
YALE-MSS-10.5: Ensure administrative and service account credentials (username/password) are not shared.  o o o o o o
YALE-MSS-10.6: Require Multifactor Authentication (MFA) for all administrative access x x x x x x
YALE-MSS-10.7: Maintain an inventory of all privileged and service accounts and who has what access           o
YALE-MSS-11: Secure the network and control network ports
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-11.1: Enable ports, protocols, and services on an as-needed basis 

    x   x x
YALE-MSS-11.2: Utilize host-based firewalls with default deny-all rule sets      PCI     PCI
YALE-MSS-11.3: Utilize host-based firewalls to control ports and log network traffic   PBIP PBIP   PBIP PBIP
YALE-MSS-12: Require security skills and training
MSS description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-12.1: Require security training for all users of Yale Data and Yale IT Systems 

x x x x x x
YALE-MSS-12.2: Ensure all third parties complete required training    

PCI

HIPAA

    x
YALE-MSS-13: Implement methods of intrusion detection
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-13.1: Capture north/south flow data    PBIP PBIP  

o

PBIP

o

PBIP

YALE-MSS-13.2: Utilize a network firewall to allow the least amount of access as possible         x x
YALE-MSS-13.3: Implement Intrusion Protection and Intrusion Detection Systems         x x
Yale-MSS-14: Collect and analyze audit logs
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-14.1: Ensure logging contains information required for incident response         x x
YALE-MSS-14.2: Log all authentication events           o

YALE-MSS-14.3: Ensure logs are forwarded to a log server and not kept only on the in-scope system 

        o o
YALE-MSS-14.4: Collect and review all source system activity logs           HIPAA
YALE-MSS-15: Respond to and manage security incidents
MSS Description

low risk

endpoint

mod risk

endpoint

high risk

endpoint

low risk

server

mod risk

server

high risk

server

YALE-MSS-15.1: Report any suspected security incident(s) to the Information Security Team in a timely manner x x x x x x

Version History 

MSS Version 1 Effective July 2019 - September 9, 2019 

Ask For Help 

For questions or concerns about understanding and applying the Updated Minimum Security Standards, please contact information.security@Yale.edu