Minimum Security Standards Calculator

Different IT System types call for different security requirements. For example, how we protect a laptop is different from how we protect a web server. Determining your IT System type is the first step to applying the correct Minimum Security Standards. Select your IT System Type using the buttons below. An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. Examples include, but are not limited to, desktops, laptops, workstations, and POS terminals. A server is a computer that processes requests and/or delivers data to other computers. A servers process requests or delivers data over the network it connects to. Servers share network resources with endpoints. Examples include, but are not limited to, web servers, file servers, database servers, and email servers. A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoints. Examples include, but are not limited to, smartphones and tablets. A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. This does not include personal printers. Personal printers process print jobs through a physical connection (such as a wire) to an endpoint. An example of a network printer is a PaperCut printer.

Your initial response to this may be, “Yes, I will access the internet from this device”. But that is not what this question is asking. This is asking if your IT System allows connections from the public Internet. This presents more risk to the IT System. As a result, more security requirements apply. We define Internet Accessible devices as: Internet Accessible (IA) systems allow connections from the public internet without an additional layer of protection such as a Virtual Private Network (VPN) or an authenticated Web Application Proxy (WAP). IT Systems behind a Web Application Firewall (WAF), un-authenticated proxy, or load balancer are Internet Accessible (IA) if the front-end IP is itself accessible from the Internet. Requirements for Internet Accessible IT Systems will be tagged with "IA". Anywhere you see "IA" means that standard is required for an Internet Accessible IT System. If your IT System meets the Internet Accessible definition, select Yes below.

Note that HIPAA and PCI requirements are included in the Minimum Security Standards. If your IT System is subject to HIPAA or PCI, it must apply all MSS marked as required for high risk and HIPAA or PCI. If your IT System is subject to HIPAA and/or PCI, select those requirements using the buttons below. Note that if your IT System is subject to any other external obligations, those are not listed in the MSS. These external obligations may require specific security requirements in addition to the MSS.

The risk classification of an IT System determines which Minimum Security Standards apply. The higher the risk classification, the more standards to apply. Read the Risk Classification Guideline to determine your IT System risk classification. This guideline is located at cybersecurity.yale.edu/risk-classification. Once you know your IT System's risk classification, select your risk using the buttons below.