Skip to main content

YALE-MSS-5.1: Utilize an industry-standard secure configuration method

Standards Group:
YALE-MSS-5: Software Security

YALE-MSS-5.1: Utilize an industry-standard secure configuration method 

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Required for PCI Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

Details

Select, review, and apply a security configuration standard, being careful to make risk-based decisions when choosing not to apply specific controls. Document your use of the standard, as well as any decisions to not employ certain controls. Review and revise this documentation regularly.

There are security configuration standards available for most IT Systems. When applicable, the CIS (Center for Internet Security) Benchmarks are Yale's preferred standard. For more information about CIS, please visit https://www.cisecurity.org/cis-benchmarks/.

Note that this control is not exclusively concerned with operating systems. Yale's preference for Web application programming and the configuration of Web services is the Application Security Verification Standard (ASVS) by the Open Web Application Security Project (OWASP).

A security configuration standard aids the implementation of cybersecurity best practices. Use of a standard such as the CIS Benchmarks helps to ensure these practices are being met for a given system.