Skip to main content
Finger touching virtual lock

Applying the MSS to IT Systems

This page explains how to read, understand, and apply the Minimum Security Standards (MSS) to a system.

If you’re on this page, it is because you are:

  • A system decision maker trying to plan for your system to meet Yale’s MSS
  • A system support provider trying to configure the system you support to meet Yale’s MSS.


How-to guide for the MSS

This page explains how to read, understand, and apply the MSS to your system. This includes how to:

  1. Decide on system type and classificationknowing the risk of your system type
  2. Follow the MSS Keyknowing what controls apply to your IT System
  3. Understand the MSSlearning the breakdown of the MSS standards groups, standards, and controls
  4. View the MSSusing the MSS list vs. the MSS calculator
  5. Apply the MSSunderstanding the shared responsibility model

If you're looking for more information on what the MSS are or how they apply to you, visit our general MSS page.

Decide on system type and classification

All Yale IT Systems must meet and maintain the Minimum Security Standards. A Yale IT System is any IT System that uses Yale Data and/or operates in support of Yale's mission. Examples include:

  • IT Systems hosted at Yale (e.g., an IT System built by Yale, like our Training Management System (TMS)).
  • IT Systems hosted by a third party (e.g., cloud services, like Amazon Web Services (AWS), Yale Box).
  • All environments of an IT System that access Yale Data (e.g., Test, Development, Production).

We apply the standards based on the system's type and risk classification.


Deciding on your system type  

Determine the system type to understand which standards apply to your Yale IT system. The MSS outlines requirements for the following types of systems.

System Type Definition Examples
ENDPOINT An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. Desktops, laptops, POS terminals
SERVER A server is a computer that processes requests and/or delivers data to other computers. A server processes requests or delivers data over the network it connects to. Servers share network resources with endpoints. Web servers, file servers, database servers, email servers, software applications
MOBILE DEVICE A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoints. Smartphones, tablets

A network printer is a printer connected to a network. Network printers receive their print jobs via a print server.

Note: This does not include personal printers. Personal printers process print jobs through a physical connection to an endpoint.

Papercut printers

Critical IT infrastructure

Some Yale IT Systems are too complex in nature to solely rely on the MSS for their security requirements. We refer to these systems as “Critical IT Infrastructure”. The definition and requirements of Critical IT Infrastructure are found in Yale-MSS-1.4.


Deciding on your system risk classification

The risk classification determines the right security requirements for the risk level. It will decide what Minimum Security Standards apply to your IT System. Yale classifies systems as High, Moderate, or Low Risk based on the system’s:

  • Data Classification
  • Availability Requirement
  • External obligations

To determine your system’s risk classification, visit the Risk Classification Guideline.  

View the Risk Classification Guideline


Follow the MSS Key  

Once you know your system type and classification, use the key to know which MSS apply to your IT System. These symbols show which security requirements apply to which system type and classification.  

Symbol Meaning
REQUIRED The "Required" tag marks standards currently required for that system type and classification.
UPCOMING The "Upcoming" tag marks standards that are future requirements. Any standard marked as "upcoming" will be required soon. The MSS lists these upcoming requirements for budget planning for the IT System.
NOT REQUIRED The "Not Required" tag indicates the standard is not required for that system type and classification.

The "IA" tag indicates a current requirement for Internet Accessible IT Systems.

Internet Accessible (IA) systems allow connections from the public internet without an additional layer of protection such as a Virtual Private Network (VPN). In general, if the normal way to access your system is through the internet, the system is internet accessible.

Note: Private IPs with a public reverse-proxy (like a load balancer) would be considered Internet Accessible.


The "HIPAA" tag indicates a current requirement for IT Systems subject to HIPAA. If the Yale IT System is subject to HIPAA, it must apply all MSS marked as required for high risk and HIPAA.

Any standard marked with "HIPAA" is currently required by University HIPAA Policy. These security requirements ensure compliance with the HIPAA Security Rule.


The "PCI" tag indicates a current requirement for IT Systems subject to PCI. If the Yale IT System is subject to PCI, it must apply all MSS marked as required for high risk and PCI.

Any standard marked with "PCI" is currently required by Yale to ensure compliance with PCI DSS. PCI DSS is the Payment Card Industry Data Security Standard.


Understand the MSS

This section helps you understand how we break down the MSS. This will help you read and work through the standards. The Minimum Security Standards (MSS) are broken down into:

Standard Groups (Yale-MSS-X): There are 14 standard groups that make up Yale’s Minimum Security Standards (MSS). These group standards together based on cybersecurity requirements.

Standards (Yale-MSS-X.Y): There are 73 standards that make up Yale’s Minimum Security Standards (MSS). These standards tell us what Yale’s position is on the group of cybersecurity requirements. They tell us what you must do to meet that cybersecurity requirement at Yale.

Controls (Yale-MSS-X.Y.Z): There are 122 controls that support the standards. These controls provide details on how you can meet Yale’s position on the cybersecurity requirement.

The best way to start learning about the MSS is to look at the 14 Standard Groups, which we describe below:

Standards Group Description
YALE-MSS-1: System Classification Know your requirements based on the system type and risk classification. If your risk classification changes over time, your requirements will change. This category is a prerequisite to meeting and maintaining the rest of the MSS.
YALE-MSS-2: System Inventory Know what your security requirements apply to. This category is a pre-requisite to risk classification and meeting the MSS.
YALE-MSS-3: Disaster Recovery (DR)

Create a step-by-step procedure to restore the IT System in the event of a disruption. Test the plan to ensure it is successful and meets your availability requirement (RTO).

YALE-MSS-4: Physical Security Ensure the system is physically secured based on its risk classification. These controls will vary based on where the system is physically located.
YALE-MSS-5: Software Security Make security-conscious choices for configuring your software and firmware. This includes running supported operating systems and software for commercial, in-house, and open-source software.
YALE-MSS-6: Patching Ensure a process is inplace to apply security updates (a.k.a. patches) routinely and actively. This includes establishing an emergency patch process for critical vulnerabilities.
YALE-MSS-7: Data Protection Ensure data protection controls are in place. This includes how the data is encrypted, backed up, and used securely by the IT System.
YALE-MSS-8: Application Development Implement secure SDLC practices when deploying software and applications. This includes testing for common security flaws.
YALE-MSS-9: Authentication and Authorization Manage authentication and authorization lifecycle management for user and privileged accounts.
YALE-MSS-10: Network Exposure Determine network security for the IT Systems that connect to the network. The goal of this category is to limit network exposure.
YALE-MSS-11: Security Training Ensure users and third-party vendors know the role they play in the IT System's security. This can be how they use and/or support the system securely.
YALE-MSS-12: Intrusion Detection Run an industry-standard intrusion detection program. This program should detect anomalies, attacks, and compromises. If you are on the University Network, you get this free from the ISO.
YALE-MSS-13: Logging Ensure all system components are logging relevant security data. Preserve relevant security data in the event of an incident.
YALE-MSS-14: Security Incident Response Ensure security incidents are reported to the ISO. ISO will always play a role in incident response.


View the MSS

Now that you know your system's type and classification and how to read the MSS, decide how you want to view them. There are two ways to view Yale's MSS.

MSS List

View a complete list of the MSS. This is a consolidated list of all of Yale's security requirements. These requirements come from Yale's current security policies, procedures, and practices.

View the MSS List

MSS Calculator

Narrow the MSS down to the requirements for your IT System using the MSS Calculator. The calculator will give you the required controls based on your system type and risk level.

Use the MSS Calculator

Apply the MSS

Applying the MSS starts with building your shared responsibility model. A shared responsibility model determines who is responsible for meeting what standards.

5 Steps to Building the Shared Responsibility Model

Step 1: Classify the System

"What do I have to do?"

You classify the system as high, moderate, or low risk to know your MSS requirements.

Step 2: Know Your Game Plan

"Who is doing what?"

This is where you build your shared responsibility model.

At this point, we know our security requirements are the MSS. The shared responsibility model is where you figure out:

  • What the system support providers must do to meet and maintain the MSS.
  • What the users must do to maintain the MSS and use the system securely. 

Step 3: Complete an MSS Gap Analysis

"How much have we done so far?"

This step helps you determine two key factors:

  • What MSS are you currently meeting?
  • Which ones can you not currently meet?

Understanding these questions is key to step 4.

Step 4: Create an MSS Roadmap

"How do I do the rest?"

This step helps you determine your plans to:

  • Fill in your MSS gaps
  • Maintain the MSS over the lifecycle of the IT System

Step 5: Communicate with the user base

"How do our users know what to do?"

Often, users will play a role in meeting and maintaining the MSS. This is based on how they use and interact with your IT System. The two main points to communicate with users are:

  • The classification of the system. This tells them what risk level they can use your system for.  
  • Their role in using the IT System securely.


Below is a collection of resources to help you understand and apply the MSS at Yale. 

Yale's Minimum Security Standards

The Minimum Security Standards (MSS) are how we protect Yale IT Systems based on risk.

Visit Yale's Minimum Security Standards page

MSS for Users and User Support Providers

This page helps users understand how Yale’s Minimum Security Standards (MSS) apply to their everyday work at Yale.

Visit the MSS for Users and User Support Providers page


Once you know your system type and classification, use the key to know which MSS apply to your IT System.

View the MSS key

MSS Calculator

The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System.

View the MSS calculator

Full MSS List

The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems.

View the full MSS list

Know Your Risk Toolkit

When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.

View the Know Your Risk toolkit