Skip to main content

Minimum Security Standards Calculator

The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System. You can find requirements based on your system type and risk classification. You will also be asked if your system is Internet Accessible, subject to HIPAA, or subject to PCI. These questions ensure you see all the standards that apply to your IT System. The complete MSS shows a full list of Yale's current security requirements. To see the complete MSS, visit To read more about the MSS and how it works, visit This reflects the streamlined MSS as of 3/15/2023. The purpose of this reorganization was to improve comprehension and reduce redundancy. The requirements in the MSS have not changed. To view details on this change or view the old version of the MSS, see our streamlining the MSS webpage located at
Choose Device Type
Different IT System types call for different security requirements. For example, how we protect a laptop is different from how we protect a web server. Determining your IT System type is the first step to applying the correct Minimum Security Standards. Select your IT System Type using the buttons below. An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. Examples include, but are not limited to, desktops, laptops, workstations, and POS terminals. A server is a computer that processes requests and/or delivers data to other computers. A servers process requests or delivers data over the network it connects to. Servers share network resources with endpoints. Examples include, but are not limited to, web servers, file servers, database servers, and email servers. A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoints. Examples include, but are not limited to, smartphones and tablets. A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. This does not include personal printers. Personal printers process print jobs through a physical connection (such as a wire) to an endpoint. An example of a network printer is a PaperCut printer.
Is the IT system Internet Accessible?
Your initial response to this may be, “Yes, I will access the internet from this device”. But that is not what this question is asking. This is asking if your IT System allows connections from the public Internet. This presents more risk to the IT System. As a result, more security requirements apply. We define Internet Accessible devices as: Internet Accessible (IA) systems allow connections from the public internet without an additional layer of protection such as a Virtual Private Network (VPN) or an authenticated Web Application Proxy (WAP). IT Systems behind a Web Application Firewall (WAF), un-authenticated proxy, or load balancer are Internet Accessible (IA) if the front-end IP is itself accessible from the Internet. Requirements for Internet Accessible IT Systems will be tagged with "IA". Anywhere you see "IA" means that standard is required for an Internet Accessible IT System. If your IT System meets the Internet Accessible definition, select Yes below.
External Obligations (Select all that apply)
Note that HIPAA and PCI requirements are included in the Minimum Security Standards. If your IT System is subject to HIPAA or PCI, it must apply all MSS marked as required for high risk and HIPAA or PCI. If your IT System is subject to HIPAA and/or PCI, select those requirements using the buttons below. Note that if your IT System is subject to any other external obligations, those are not listed in the MSS. These external obligations may require specific security requirements in addition to the MSS.
Risk Classification
The risk classification of an IT System determines which Minimum Security Standards apply. The higher the risk classification, the more standards to apply. Read the Risk Classification Guideline to determine your IT System risk classification. This guideline is located at Once you know your IT System's risk classification, select your risk using the buttons below.