Skip to main content
Menu
Close
Stay Safe
Stay Safe
Know Your Risk
Know Your Risk
Risk Classification Guideline
External Obligations Guideline
Availability Requirement Guideline
Data Classification Guideline (1604 GD.01)
Data Classification Questionnaire
Use Secure Services
Click with Caution
Click with Caution
Report a Suspicious Email
Send an Encrypted Email
Protect Your Identity
Protect Your Identity
Use Yale's Multifactor Authentication (MFA) Service
Apply Updates
Policies & Standards
Policies & Standards
Information Security Policy Base
Yale's Minimum Security Standards (MSS)
Yale's Minimum Security Standards (MSS)
Applying the MSS to IT Systems
Full MSS List
MSS Calculator
MSS Key
MSS for Users and User Support Providers
Minimum Security Standards (MSS) Lunch & Learns
Minimum Physical Security Standards for Critical IT Spaces
Network Terms of Service (NTOS) Standards
Guidelines for Working Securely
Guidelines for Working Securely
Protect Your Device from Malware
Travel Securely
Security Guidelines for Working Remotely
News & Events
News & Events
Events & Announcements
Bee Cyber Fit Series
Bee Cyber Fit Series
Monthly Tip
Podcast
Newsletter
Cybersecurity Awareness Month
Support
Support
Application Security
Cybersecurity Awareness & Training
Request an Exception
My Identity and Access at Yale
My Identity and Access at Yale
Identity Lifecycles
Change my NetID Password
Identity and Access for Departments
Identity and Access for You
Managing Access Permissions
Security Planning Assessment (SPA)
Contact Us
About
About
Endpoint Privacy and Security
Network Monitoring Privacy Statement
Close Search
Report an Incident
Minimum Security Standards Calculator
The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System. You can find requirements based on your system type and risk classification. You will also be asked if your system is Internet Accessible, subject to HIPAA, or subject to PCI. These questions ensure you see all the standards that apply to your IT System. The complete MSS shows a full list of Yale's current security requirements. To see the complete MSS, visit cybersecurity.yale.edu/mss/list. To read more about the MSS and how it works, visit cybersecurity.yale.edu/mss. This reflects the streamlined MSS as of 3/15/2023. The purpose of this reorganization was to improve comprehension and reduce redundancy. The requirements in the MSS have not changed. To view details on this change or view the old version of the MSS, see our streamlining the MSS webpage located at cybersecurity.yale.edu/news/streamlining-minimum-security-standards.
Choose Device Type
Endpoint
Server
Mobile Device
Network Printer
Different IT System types call for different security requirements. For example, how we protect a laptop is different from how we protect a web server. Determining your IT System type is the first step to applying the correct Minimum Security Standards. Select your IT System Type using the buttons below. An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. Examples include, but are not limited to, desktops, laptops, workstations, and POS terminals. A server is a computer that processes requests and/or delivers data to other computers. A servers process requests or delivers data over the network it connects to. Servers share network resources with endpoints. Examples include, but are not limited to, web servers, file servers, database servers, and email servers. A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoints. Examples include, but are not limited to, smartphones and tablets. A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. This does not include personal printers. Personal printers process print jobs through a physical connection (such as a wire) to an endpoint. An example of a network printer is a PaperCut printer.
Is the IT system Internet Accessible?
No, it is not Internet Accessible
Yes, it is Internet Accessible
Your initial response to this may be, “Yes, I will access the internet from this device”. But that is not what this question is asking. This is asking if your IT System allows connections from the public Internet. This presents more risk to the IT System. As a result, more security requirements apply. We define Internet Accessible devices as: Internet Accessible (IA) systems allow connections from the public internet without an additional layer of protection such as a Virtual Private Network (VPN) or an authenticated Web Application Proxy (WAP). IT Systems behind a Web Application Firewall (WAF), un-authenticated proxy, or load balancer are Internet Accessible (IA) if the front-end IP is itself accessible from the Internet. Requirements for Internet Accessible IT Systems will be tagged with "IA". Anywhere you see "IA" means that standard is required for an Internet Accessible IT System. If your IT System meets the Internet Accessible definition, select Yes below.
External Obligations (Select all that apply)
HIPAA
PCI
Note that HIPAA and PCI requirements are included in the Minimum Security Standards. If your IT System is subject to HIPAA or PCI, it must apply all MSS marked as required for high risk and HIPAA or PCI. If your IT System is subject to HIPAA and/or PCI, select those requirements using the buttons below. Note that if your IT System is subject to any other external obligations, those are not listed in the MSS. These external obligations may require specific security requirements in addition to the MSS.
Risk Classification
High Risk
Low Risk
Moderate Risk
The risk classification of an IT System determines which Minimum Security Standards apply. The higher the risk classification, the more standards to apply. Read the Risk Classification Guideline to determine your IT System risk classification. This guideline is located at cybersecurity.yale.edu/risk-classification. Once you know your IT System's risk classification, select your risk using the buttons below.