Standards Group:
YALE-MSS-4: Physical Security
YALE-MSS-4.2: Physically secure the IT System
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Not Required
High Risk Endpoint
Required
Low Risk Server
Not Required
Moderate Risk Server
Not Required
High Risk Server
Required
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Not Required
High Risk Mobile Device
Not Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Not Required
High Risk Network Printer
Required
Details
If the IT System is whole disk encrypted and requires authentication for administrative functions with a session timeout, these standards are not required.
If the IT System is located in a Critcal IT Space that meets the security standards outlined in Yale-MSS-4.1, these standards are not required.
All high risk systems should be stored in a secure area that can be locked down to only allow explicitly permitted users into the space. Below are requirements for securing that area appropriately.
High risk systems require physical security because physical access to the system can permit other methods of unauthorized access to the data or system.
Controls
- YALE-MSS-4.2.1: Limit user access to the secure area to only those who need it
- YALE-MSS-4.2.2: Review and re-certify user access to the secure area annually
- YALE-MSS-4.2.3: Access to the secure space produces a physical or electronic audit log
- YALE-MSS-4.2.4: A locking cable or equivalent physical protection for all devices when not in the user's physical custody
- YALE-MSS-4.2.5: Install privacy screen filters on computer screens that display ePHI