YALE-MSS-1.2: Apply any additional security requirements required by external obligations

Yale Data and IT systems may be subject to external obligations. These can be regulatory, legal, or contractual obligations. Review the External Obligations Guideline for more details.

External obligations can increase the security controls required on the IT system. They can also increase Yale's obligations in the event of a cybersecurity incident. All externally-mandated security requirements for the system must be reviewed and applied. A process must exist to meet these obligations, including those that are required in the event of a security incident or a data breach.

Any external obligation (e.g. federal regulations, third party contracts, etc.) will introduce this requirement.

HIPAA and PCI external obligations are included in the Minimum Security Standards. If your IT system is subject to HIPAA or PCI, it must apply all MSS marked as required for high risk and HIPAA or PCI.

If your IT system is subject to any other external obligations, those are not listed in the MSS. These external obligations may require specific security requirements in addition to the MSS. System support providers are responsible for understanding and implementing those additional requirements on a case-by-case basis.