Skip to main content

YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards

Standards Group:
YALE-MSS-1: System Classification

YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required


The requirements in Yale's Minimum Security Standards (MSS) are a foundation for building and maintaining secure IT Systems based on risk.

All Yale IT Systems must meet and maintain the MSS. A Yale IT System is one that uses Yale data and/or operates in support of Yale's mission. Examples include IT systems hosted by Yale or by a third party on Yale's behalf (e.g., Workday, Microsoft OneDrive).

The MSS is applied according to two criteria:

Using these, Yale's MSS Calculator can determine a system's relevant MSS requirements.

Yale's IT systems should be protected based on their risk classification. Risk classification determines the appropriate security requirements to apply for a given system type. The MSS ensures we get the right requirements for the right risk level.

To classify your IT System, you must know its risk classification and type. These are outlined in:

Once you have a risk classification and system type, use the MSS Calculator to generate the relevant MSS requirements. You can store this output as a document for your system's records, but you are not required to submit it to ISO.

As you review the requirements, you may discover that some aren't applicable to your system or are handled outside of your system (e.g., by Yale ITS or a vendor). When this happens, briefly note why the given requirement isn't applicable or how it is already managed.

All the remaining applicable MSS requirements must be met in your system deployment. For any that cannot be met, submit an Exception Request as described in YALE-MSS-1.1.8.