New Minimum Security Standards (MSS) V2
New MSS V2
Effective Date: September 9, 2019 - Present
The New MSS V2 only applies to IT Systems administered by Yale Information Technology Services (Yale ITS). All other IT Systems hosting Yale data are required to follow the current set of Minimum Security Standards that outline the security controls required for high, moderate, and low risk data.
The New MSS enhances the current University Minimum Security Standards by:
- Providing detail on how to achieve the security controls
- Consolidating all current security Policies, Procedures, and Practices into one place
- Creating a mechanism to list upcoming security requirements so that they can be budgeted and planned for
What has changed from V1 to V2?
Below is a description of the changes made between Updated MSS V1 and this current version of the Updated Minimum Security Standards (MSS V2).
- YALE-MSS-2.2: Determine if the system is considered Critical IT Infrastructure
- YALE-MSS-10.5: Ensure administrative and service account credentials (username/password) are not shared
- YALE-MSS-3.1 is now only required for high risk servers
- YALE-MSS-5.1 now includes detailed requirements
- YALE-MSS-9.2 was changed to read “Ensure user account credentials (username/password) are not shared. This requirement is now current state.
Why create New Minimum Security Standards?
The New MSS is the first attempt at providing more detail so that anyone responsible for building and maintaining Yale IT Systems fully understand their security requirements. Utilizing this set of Minimum Security Standards when building and maintaining an IT System will result in the system passing through the Security Design Review and any other security audits or assessments efficiently.
This format also allows for future security requirements to be rolled out at a pace that allows time for budgetary and resource planning. This is critical for security to ensure that our baseline of controls keeps up with the dynamic world of cybersecurity. This is critical for those who own and maintain the IT system to be able to plan for the necessary resources needed to meet the upcoming requirements.
Who will the New Minimum Security Standards apply to?
As of July 2019, these new Minimum Security Standards will apply to all IT Systems administered by Yale Information Technology Services (ITS). All IT Systems are required to follow the MSS For the system’s classification. To ensure the appropriate standards are being met, ensure the system has been properly classified according to the Classifying and Protecting Yale IT Systems guideline.
The goal is to eventually utilize this MSS University-wide. However, systems not administered by Yale Information Technology Services (ITS) are only required to use the current University Minimum Security Standards.
If you want to play a role in shaping what the New MSS will look like for the University-wide implementation, please start by providing feedback on Version 1. It is important that we receive feedback on this first version so that we can correct any mistakes before rolling this out to the broader community. We are looking for feedback that includes, but is not limited to the following:
- Are there any controls on this list that you do not feel are current state?
- Are there any controls on this list that do not make sense and need more detail?
- Is there anything that we currently do for security that is not represented as a standard on this first version? We want to ensure that all current policy, procedures, and practices are represented on this first version.
Please provide all feedback to information.security@Yale.edu.
Applying the New Minimum Security Standards
All Yale IT Systems are required to meet and maintain the MSS for the system’s classification. To ensure the appropriate standards are being met, ensure the system has been assigned the proper risk level using the Classifying and Protecting Yale IT Systems guideline.
Once the system’s classification has been identified, the ITS Minimum Security Standards divides IT Systems into two system types: endpoints and servers.
An endpoint is a computing device that communicates back and forth with a network to which it is connected. This computing device does not host any network resources for other endpoints to connect to. Examples include: desktops, laptops, smartphones, tablets, workstations, POS terminals.
A server is a computing device designed to process requests and deliver data to another computing device over the network to which it is connected. This computing device shares network resources with endpoints. Examples include: web servers, file servers, database servers, email servers, identity servers.
The ITS Minimum Security Standards identifies required standards for high, moderate and low risk IT Systems using the following key:
|x||Any Minimum Security Standard marked with “x” means that standard is currently required for that system type and classification.|
|o||Any Minimum Security Standard marked with “o” means that standard is an upcoming requirement for that system type and classification. This control is not currently required, but should be considered for future planning and budgeting for the IT system.|
|HIPAA||Any Minimum Security Standard marked with “HIPAA” means that standard is required by University HIPAA Policy to comply with the HIPAA Security Rule. If the IT System is subject to HIPAA, it must follow all Minimum Security Standards marked for high risk and marked for HIPAA.|
|PCI||Any Minimum Security Standard marked with “PCI” means that standard is required to comply with the Payment Card Industry Data Security Standards (PCI DSS). If the IT System is subject to PCI DSS, it must follow all Minimum Security Standards marked for high risk and marked for PCI.|
|PBIP||Any Minimum Security Standard marked with “PBIP” is required for any system that must remain public facing for a busines sort academic function. If the IT System is on a public IP address, it must follow all Minimum Security standards for its system classification, as well as the ones marked for PBIP.|
Minimum Security Standards (MSS) V2
Ask For Help
For questions or concerns about understanding and applying the Updated Minimum Security Standards, please contact information.security@Yale.edu.