Skip to main content

YALE-MSS-1.4: Designate and protect Critical IT Infrastructure

Standards Group:
YALE-MSS-1: System Classification

YALE-MSS-1.4: Designate and protect Critical IT Infrastructure

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required


This standard only applies if the IT System meets the definition of Critical IT Infrastructure.

Critical IT Infrastructure is defined as an IT system that meets any of the following criteria:

  • An IT System that unrelated IT systems have a dependency on, and/or
  • An IT System that is complex or specialized in nature that needs special protections beyond Yale’s Minimum Security Standard

All Critical IT Infrastructure is designated by Yale’s Chief Information Security Officer. Any questions regarding the designation of Critical IT Infrastructure should be directed to

Examples of Critical IT Infrastructure Include:

  • Networking Equipment that supports Yale’s Core Network
  • Domain Name System Infrastructure
  • Central Authentication Infrastructure, such as Active Directory (AD) or Single Sign On (SSO)
  • Virtualization Infrastructure running any unrelated server applications, such as VMware ESX Farm.
  • Automation or IT Management Software with broad privileged access to many unrelated systems, such as SCCM, Cylance, Forcepoint, etc

If the IT System is considered Critical IT Infrastructure, the IT System must meet the security standards required for high-risk servers, as well as the requirements listed below.

We have Critical IT Infrastructure to cover the specialized systems that need more tailored security plans than what is provided in the Minimum Security Standards. The Minimum Security Standards do not touch upon specialized security requirements, as they are intended for the typical use of endpoints and servers. While the Minimum Security Standards apply to all Critical IT Infrastructure, anything designated as Critical IT Infrastructure also requires individual security plans specifically tailored to that Critical IT System.