Skip to main content

YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System

Standards Group:
YALE-MSS-1: System Classification

YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required


The security requirements for a Yale IT Systems include the Minimum Security Standards (MSS), as well as any external obligations to protect the IT System or the data the IT System contains.

The MSS is: 

  • A set of baseline engineering requirements for building and maintaining secure IT Systems at Yale. 
  • A way to connect the openness of Yale's technology environment to security responsibilities. 
  • A continuous process to ensure Yale builds and maintains secure IT Systems throughout their life cycles. 

The MSS is not: 

  • A documentation exercise to turn into the Information Security Office (ISO). 
  • A one-time requirement that is not revisited after the IT System goes into production. 

There are various ways people plan for and operate their departments and systems. This standard represents the full scope of what security planning includes. This is not a requirement for documentation. For guidance on how to plan and maintain the MSS, see the guidance section below. 

  1. Classify the System using the Risk Classification Guideline.
  2. Build a shared responsibility plan:
    • Communicate the risk classification to users and system support providers.
    • Understand and communicate what system support providers must do to meet and maintain the MSS.
    • Understand and communicate what end users must do to use the system securely.
  3. Understand where the system does not meet the MSS and either remediate the gaps or file for exceptions to the MSS.