Standards Group:
YALE-MSS-1: System Classification
YALE-MSS-1.4: Designate and protect Critical IT Infrastructure
Details
This standard only applies if the IT system meets the definition of Critical IT Infrastructure.
Critical IT Infrastructure is defined as an IT system that meets any of the following criteria:
- An IT system that unrelated IT systems have a dependency on, and/or
- An IT system that is complex or specialized in nature that needs special protections beyond Yale's Minimum Security Standard
The Minimum Security Standards do not touch upon specialized security requirements, as they are intended for the typical use of endpoints, servers, mobile devices, and printers. While the Minimum Security Standards apply to all Critical IT Infrastructure, anything designated as Critical IT Infrastructure also requires individual security plans specifically tailored to that Critical IT system.
All Critical IT Infrastructure is designated by Yale's Chief Information Security Officer. Any questions regarding the designation of Critical IT Infrastructure should be directed to information.security@yale.edu.
Examples of Critical IT Infrastructure Include:
- Networking Equipment that supports Yale's Core Network
- Domain Name System Infrastructure
- Central Authentication Infrastructure, such as Active Directory (AD) or Single Sign On (SSO)
- Virtualization Infrastructure running any unrelated server applications, such as VMware ESX Farm.
- Automation or IT Management Software with broad privileged access to many unrelated systems, such as Intune, Purview, etc.
Critical IT Infrastructure must:
- Meet all MSS for high-risk servers
- Meet all 1.4.x MSS controls