Applying the MSS to IT Systems
This page explains how to read, understand, and apply the Minimum Security Standards (MSS) to a system.
If you’re on this page, it is because you are:
- A system decision maker trying to plan for your system to meet Yale’s MSS
- A system support provider trying to configure the system you support to meet Yale’s MSS.
How-to guide for the MSS
This page explains how to read, understand, and apply the MSS to your system. This includes how to:
- Decide on system type and classification - knowing the risk of your system type
- Follow the MSS Key - knowing what controls apply to your IT System
- Understand the MSS - learning the breakdown of the MSS standards groups, standards, and controls
- View the MSS – using the MSS list vs. the MSS calculator
- Apply the MSS – understanding the shared responsibility model
If you're looking for more information on what the MSS are or how they apply to you, visit our general MSS page.
Decide on system type and classification
All Yale IT Systems must meet and maintain the Minimum Security Standards. A Yale IT System is any IT System that uses Yale Data and/or operates in support of Yale's mission. Examples include:
- IT Systems hosted at Yale (e.g., an IT System built by Yale, like our Training Management System (TMS)).
- IT Systems hosted by a third party (e.g., cloud services, like Amazon Web Services (AWS), Yale Box).
- All environments of an IT System that access Yale Data (e.g., Test, Development, Production).
We apply the standards based on the system's type and risk classification.
Deciding on your system type
Determine the system type to understand which standards apply to your Yale IT system. The MSS outlines requirements for the following types of systems.
| System Type | Definition | Examples |
|---|---|---|
| ENDPOINT | An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. | Desktops, laptops, POS terminals |
| SERVER | A server is a computer that processes requests and/or delivers data to other computers. A server processes requests or delivers data over the network it connects to. Servers share network resources with endpoints. | Web servers, file servers, database servers, email servers, software applications |
| MOBILE DEVICE | A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoints. | Smartphones, tablets |
| NETWORK PRINTER |
A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. Note: This does not include personal printers. Personal printers process print jobs through a physical connection to an endpoint. |
Papercut printers |
Critical IT infrastructure
Some Yale IT Systems are too complex in nature to solely rely on the MSS for their security requirements. We refer to these systems as “Critical IT Infrastructure”. The definition and requirements of Critical IT Infrastructure are found in Yale-MSS-1.4.
Deciding on your system risk classification
The risk classification determines the right security requirements for the risk level. It will decide what Minimum Security Standards apply to your IT System. Yale classifies systems as High, Moderate, or Low Risk based on the system’s:
- Data Classification
- Availability Requirement
- External obligations
To determine your system’s risk classification, visit the Risk Classification Guideline.
View the Risk Classification Guideline
Follow the MSS Key
Once you know your system type and classification, use the key to know which MSS apply to your IT System. These symbols show which security requirements apply to which system type and classification.
| Symbol | Meaning |
|---|---|
| REQUIRED | The "Required" tag marks standards currently required for that system type and classification. |
| UPCOMING | The "Upcoming" tag marks standards that are future requirements. Any standard marked as "upcoming" will be required soon. The MSS lists these upcoming requirements for budget planning for the IT System. |
| NOT REQUIRED | The "Not Required" tag indicates the standard is not required for that system type and classification. |
| REQUIRED FOR IA |
The "IA" tag indicates a current requirement for Internet Accessible IT Systems. Internet Accessible (IA) systems allow connections from the public internet without an additional layer of protection such as a Virtual Private Network (VPN). In general, if the normal way to access your system is through the internet, the system is internet accessible. Note: Private IPs with a public reverse-proxy (like a load balancer) would be considered Internet Accessible. |
| REQUIRED FOR HIPAA |
The "HIPAA" tag indicates a current requirement for IT Systems subject to HIPAA. If the Yale IT System is subject to HIPAA, it must apply all MSS marked as required for high risk and HIPAA. Any standard marked with "HIPAA" is currently required by University HIPAA Policy. These security requirements ensure compliance with the HIPAA Security Rule. |
| REQUIRED FOR PCI |
The "PCI" tag indicates a current requirement for IT Systems subject to PCI. If the Yale IT System is subject to PCI, it must apply all MSS marked as required for high risk and PCI. Any standard marked with "PCI" is currently required by Yale to ensure compliance with PCI DSS. PCI DSS is the Payment Card Industry Data Security Standard. |
Understand the MSS
This section helps you understand how we break down the MSS. This will help you read and work through the standards. The Minimum Security Standards (MSS) are broken down into:
Standard Groups (Yale-MSS-X): There are 14 standard groups that make up Yale’s Minimum Security Standards (MSS). These group standards together based on cybersecurity requirements.
Standards (Yale-MSS-X.Y): There are 73 standards that make up Yale’s Minimum Security Standards (MSS). These standards tell us what Yale’s position is on the group of cybersecurity requirements. They tell us what you must do to meet that cybersecurity requirement at Yale.
Controls (Yale-MSS-X.Y.Z): There are 122 controls that support the standards. These controls provide details on how you can meet Yale’s position on the cybersecurity requirement.
The best way to start learning about the MSS is to look at the 14 Standard Groups, which we describe below:
| Standards Group | Description |
|---|---|
| YALE-MSS-1: System Classification | Know your requirements based on the system type and risk classification. If your risk classification changes over time, your requirements will change. This category is a prerequisite to meeting and maintaining the rest of the MSS. |
| YALE-MSS-2: System Inventory | Know what your security requirements apply to. This category is a pre-requisite to risk classification and meeting the MSS. |
| YALE-MSS-3: Disaster Recovery (DR) |
Create a step-by-step procedure to restore the IT System in the event of a disruption. Test the plan to ensure it is successful and meets your availability requirement (RTO). |
| YALE-MSS-4: Physical Security | Ensure the system is physically secured based on its risk classification. These controls will vary based on where the system is physically located. |
| YALE-MSS-5: Software Security | Make security-conscious choices for configuring your software and firmware. This includes running supported operating systems and software for commercial, in-house, and open-source software. |
| YALE-MSS-6: Patching | Ensure a process is inplace to apply security updates (a.k.a. patches) routinely and actively. This includes establishing an emergency patch process for critical vulnerabilities. |
| YALE-MSS-7: Data Protection | Ensure data protection controls are in place. This includes how the data is encrypted, backed up, and used securely by the IT System. |
| YALE-MSS-8: Application Development | Implement secure SDLC practices when deploying software and applications. This includes testing for common security flaws. |
| YALE-MSS-9: Authentication and Authorization | Manage authentication and authorization lifecycle management for user and privileged accounts. |
| YALE-MSS-10: Network Exposure | Determine network security for the IT Systems that connect to the network. The goal of this category is to limit network exposure. |
| YALE-MSS-11: Security Training | Ensure users and third-party vendors know the role they play in the IT System's security. This can be how they use and/or support the system securely. |
| YALE-MSS-12: Intrusion Detection | Run an industry-standard intrusion detection program. This program should detect anomalies, attacks, and compromises. If you are on the University Network, you get this free from the ISO. |
| YALE-MSS-13: Logging | Ensure all system components are logging relevant security data. Preserve relevant security data in the event of an incident. |
| YALE-MSS-14: Security Incident Response | Ensure security incidents are reported to the ISO. ISO will always play a role in incident response. |
View the MSS
Now that you know your system's type and classification and how to read the MSS, decide how you want to view them. There are two ways to view Yale's MSS.
MSS List
View a complete list of the MSS. This is a consolidated list of all of Yale's security requirements. These requirements come from Yale's current security policies, procedures, and practices.
MSS Calculator
Narrow the MSS down to the requirements for your IT System using the MSS Calculator. The calculator will give you the required controls based on your system type and risk level.
Apply the MSS
Applying the MSS starts with building your shared responsibility model. A shared responsibility model determines who is responsible for meeting what standards.
5 Steps to Building the Shared Responsibility Model
Step 1: Classify the System"What do I have to do?" |
You classify the system as high, moderate, or low risk to know your MSS requirements. |
Step 2: Know Your Game Plan"Who is doing what?" |
This is where you build your shared responsibility model. At this point, we know our security requirements are the MSS. The shared responsibility model is where you figure out:
|
Step 3: Complete an MSS Gap Analysis"How much have we done so far?" |
This step helps you determine two key factors:
Understanding these questions is key to step 4. |
Step 4: Create an MSS Roadmap"How do I do the rest?" |
This step helps you determine your plans to:
|
Step 5: Communicate with the user base"How do our users know what to do?" |
Often, users will play a role in meeting and maintaining the MSS. This is based on how they use and interact with your IT System. The two main points to communicate with users are:
|
MSS Resources
Below is a collection of resources to help you understand and apply the MSS at Yale.
Yale's Minimum Security Standards
The Minimum Security Standards (MSS) are how we protect Yale IT Systems based on risk.
MSS for Users and User Support Providers
This page helps users understand how Yale’s Minimum Security Standards (MSS) apply to their everyday work at Yale.
MSS Key
Once you know your system type and classification, use the key to know which MSS apply to your IT System.
MSS Calculator
The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System.
Full MSS List
The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems.
Know Your Risk Toolkit
When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.