YALE-MSS-1.2: Apply any additional security requirements required by external obligations

Standards Group:
YALE-MSS-1: System Classification

YALE-MSS-1.2: Apply any additional security requirements required by external obligations

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

Yale Data and IT systems may be subject to external obligations. These can be regulatory, legal, or contractual obligations. Review the External Obligations Guideline for more details.

External obligations can increase the security controls required on the IT system. They can also increase Yale's obligations in the event of a cybersecurity incident. All externally-mandated security requirements for the system must be reviewed and applied. A process must exist to meet these obligations, including those that are required in the event of a security incident or a data breach.

Any external obligation (e.g. federal regulations, third party contracts, etc.) will introduce this requirement.

HIPAA and PCI external obligations are included in the Minimum Security Standards. If your IT system is subject to HIPAA or PCI, it must apply all MSS marked as required for high risk and HIPAA or PCI.

If your IT system is subject to any other external obligations, those are not listed in the MSS. These external obligations may require specific security requirements in addition to the MSS. System support providers are responsible for understanding and implementing those additional requirements on a case-by-case basis.