Standards Group:
YALE-MSS-1: System Classification
YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System
Low Risk Endpoint
Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
The security requirements for a Yale IT Systems include the Minimum Security Standards (MSS), as well as any external obligations to protect the IT System or the data the IT System contains.
The MSS is:
- A set of baseline engineering requirements for building and maintaining secure IT Systems at Yale.
- A way to connect the openness of Yale's technology environment to security responsibilities.
- A continuous process to ensure Yale builds and maintains secure IT Systems throughout their life cycles.
The MSS is not:
- A documentation exercise to turn into the Information Security Office (ISO).
- A one-time requirement that is not revisited after the IT System goes into production.
There are various ways people plan for and operate their departments and systems. This standard represents the full scope of what security planning includes. This is not a requirement for documentation. For guidance on how to plan and maintain the MSS, see the guidance section below.
- Classify the System using the Risk Classification Guideline.
- Build a shared responsibility plan:
- Communicate the risk classification to users and system support providers.
- Understand and communicate what system support providers must do to meet and maintain the MSS.
- Understand and communicate what end users must do to use the system securely.
- Understand where the system does not meet the MSS and either remediate the gaps or file for exceptions to the MSS.