Standards Group:
YALE-MSS-1: System Classification
YALE-MSS-1.7: Complete a Security Planning Assessment (SPA)
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Not Required
High Risk Endpoint
Not Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Not Required
High Risk Mobile Device
Not Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Not Required
High Risk Network Printer
Not Required
Details
The Security Planning Assessment (SPA) is Yale’s process to highlight and manage cybersecurity risk through compliance with the Minimum Security Standards (MSS) and any external obligations.
A SPA will highlight areas that put Yale data or IT systems at risk.
Request a SPA when any of the following conditions apply:
- A new Yale IT system is being built or purchased
- An existing IT system has not completed the SPA process
- A significant change to hardware, software, hosting provider, or risk classification is made to an existing IT system which has a completed SPA
- When sufficient time has passed since an IT system’s last SPA:
- 2 years for high-risk systems
- 3 years for moderate-risk systems
- 4 years for low-risk systems
Additional information on the Security Planning Assessment process as well as some frequently asked questions can be found at https://cybersecurity.yale.edu/spa.
A SPA is not required for low-risk systems hosted by a vendor/third party.