YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards

The requirements in Yale's Minimum Security Standards (MSS) are a foundation for building and maintaining secure IT Systems based on risk.

All Yale IT Systems must meet and maintain the MSS. A Yale IT System is one that uses Yale data and/or operates in support of Yale's mission. Examples include IT systems hosted by Yale or by a third party on Yale's behalf (e.g., Workday, Microsoft OneDrive).

The MSS is applied according to two criteria:

• Risk Classification (see YALE-MSS-1.1.1)
• System Type (see YALE-MSS-1.1.2)

Using these, Yale's MSS Calculator can determine a system's relevant MSS requirements.

Yale's IT systems should be protected based on their risk classification. Risk classification determines the appropriate security requirements to apply for a given system type. The MSS ensures we get the right requirements for the right risk level.

To classify your IT System, you must know its risk classification and type. These are outlined in:

• YALE-MSS-1.1.1: Determine the IT System's risk classification
• YALE-MSS-1.1.2: Determine your IT System type

Once you have a risk classification and system type, use the MSS Calculator to generate the relevant MSS requirements. You can store this output as a document for your system's records, but you are not required to submit it to ISO.

As you review the requirements, you may discover that some aren't applicable to your system or are handled outside of your system (e.g., by Yale ITS or a vendor). When this happens, briefly note why the given requirement isn't applicable or how it is already managed.

All the remaining applicable MSS requirements must be met in your system deployment. For any that cannot be met, submit an Exception Request as described in YALE-MSS-1.1.8.