The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS ensures we build and maintain secure Yale IT Systems based on risk.
This is a representation of the complete Minimum Security Standards (MSS). This represents a consolidated list of all Yale's current security requirements. These requirements come from Yale's current security policies, procedures, and practices. To read more about the MSS and how it works, visit cybersecurity.yale.edu/mss.
To narrow down the MSS to the requirements for your IT System, use the MSS calculator. The MSS Calculator is located at cybersecurity.yale.edu/mss/calculator.
This reflects the streamlined MSS as of 3/15/2023. The purpose of this reorganization was to improve comprehension and reduce redundancy. The requirements in the MSS have not changed. To view details on this change or view the old version of the MSS, see our streamlining the MSS webpage located at cybersecurity.yale.edu/news/streamlining-minimum-security-standards.
YALE-MSS-1: System Classification
YALE-MSS-1: System Classification
YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards
Read the Full Spec
YALE-MSS-1.2: Apply any additional security requirements required by external obligations
Read the Full Spec
YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place
Read the Full Spec
YALE-MSS-1.4: Designate and protect Critical IT Infrastructure
Read the Full Spec
YALE-MSS-1.5: Plan for data recovery requirements
Read the Full Spec
YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System
Read the Full Spec
YALE-MSS-1.7: Complete a Security Planning Assessment (SPA)
Read the Full Spec
YALE-MSS-2: System Inventory
YALE-MSS-2: System Inventory
YALE-MSS-2.1: Establish the scope of the IT System
Read the Full Spec
YALE-MSS-2.2: Use a private IP address if direct internet access is not required
Read the Full Spec
YALE-MSS-3: Disaster Recovery (DR)
YALE-MSS-3: Disaster Recovery (DR)
YALE-MSS-3.1: Create a Disaster Recovery Plan
Read the Full Spec
YALE-MSS-3.2: Test the Disaster Recovery Plan
Read the Full Spec
YALE-MSS-4: Physical Security
YALE-MSS-4: Physical Security
YALE-MSS-4.1: Physically secure Critical IT Spaces
Read the Full Spec
YALE-MSS-4.2: Physically secure the IT System
Read the Full Spec
YALE-MSS-4.3: Ensure print jobs are physically secure
Read the Full Spec
YALE-MSS-5: Software Security
YALE-MSS-5: Software Security
YALE-MSS-5.1: Utilize an industry-standard secure configuration method
Read the Full Spec
YALE-MSS-5.2: Utilize endpoint protection
Read the Full Spec
YALE-MSS-5.3: Run supported software and operating systems
Read the Full Spec
YALE-MSS-5.4: Ensure all software is actively supported by a vendor or open-source project
Read the Full Spec
YALE-MSS-5.5: Manage all changes to the system through a change control process
Read the Full Spec
YALE-MSS-6: Patching
YALE-MSS-6: Patching
YALE-MSS-6.1: Apply security patches regularly
Read the Full Spec
YALE-MSS-7: Data Protection
YALE-MSS-7: Data Protection
YALE-MSS-7.1: Back up user-level and system-level data
Read the Full Spec
YALE-MSS-7.2: Encrypt all electronic storage devices
Read the Full Spec
YALE-MSS-7.3: Encrypt data in transit and at rest
Read the Full Spec
YALE-MSS-7.4: Recycle IT Systems using Yale's Environmental Health and Safety (EHS) Process
Read the Full Spec
YALE-MSS-7.5: Sanitize systems before re-use
Read the Full Spec
YALE-MSS-7.6: All network traffic must use a strong, industry-standard encryption method
Read the Full Spec
YALE-MSS-7.7: Purge data once it is no longer required
Read the Full Spec
YALE-MSS-7.8: Utilize host Data Loss Prevention (DLP)
Read the Full Spec
YALE-MSS-7.9: Use inactivity locks
Read the Full Spec
YALE-MSS-7.10: Store Yale Data within the United States
Read the Full Spec
YALE-MSS-7.11: Use secure Bluetooth
Read the Full Spec
YALE-MSS-7.12: Enroll in a remote wipe capability
Read the Full Spec
YALE-MSS-7.13: No circumvention of device security ("Jailbreaking")
Read the Full Spec
YALE-MSS-8: Application Development Security
YALE-MSS-8: Application Development Security
YALE-MSS-8.1: Follow an appropriate secure development methodology when writing software
Read the Full Spec
YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system
Read the Full Spec
YALE-MSS-9: Authentication and Authorization
YALE-MSS-9: Authentication and Authorization
YALE-MSS-9.1: Ensure all account types are uniquely authenticated
Read the Full Spec
YALE-MSS-9.2: Do not share account credentials (username/password)
Read the Full Spec
YALE-MSS-9.3: Utilize secure passwords for authentication
Read the Full Spec
YALE-MSS-9.4: Grant privileges to IT Systems and data according to the principle of least privilege
Read the Full Spec
YALE-MSS-9.5: Deprovision accounts and access when roles & responsibilities change
Read the Full Spec
YALE-MSS-9.6: Require Multifactor Authentication (MFA) for access to authenticated systems
Read the Full Spec
YALE-MSS-9.7: Use University approved authentication methods
Read the Full Spec
YALE-MSS-9.8: Secure and/or limit storage of authentication information
Read the Full Spec
YALE-MSS-9.9: Allow only encrypted network protocols for authentication
Read the Full Spec
YALE-MSS-9.10: Prevent brute force attacks
Read the Full Spec
YALE-MSS-9.11: Use administrative and service accounts for their IT function only
Read the Full Spec
YALE-MSS-9.12: Ensure authentication events are associated with an individual and not just an administrative or service account
Read the Full Spec
YALE-MSS-10: Network Exposure
YALE-MSS-10: Network Exposure
YALE-MSS-10.1: Enable ports, protocols, and services on an as needed basis
Read the Full Spec
YALE-MSS-10.2: Configure host firewalls to deny all unsolicited inbound traffic by default
Read the Full Spec
YALE-MSS-10.3: Utilize host firewalls to control and log all inbound and outbound traffic
Read the Full Spec
YALE-MSS-11: Security Training
YALE-MSS-11: Security Training
YALE-MSS-11.1: Require security training for all users of Yale Data and Yale IT Systems
Read the Full Spec
YALE-MSS-11.2: Ensure all third parties complete required training
Read the Full Spec
YALE-MSS-12: Intrusion Detection
YALE-MSS-12: Intrusion Detection
YALE-MSS-12.1: Capture inbound and outbound network flow data
Read the Full Spec
YALE-MSS-12.2: Utilize a network firewall to allow the least amount of access possible
Read the Full Spec
YALE-MSS-12.3: Implement an Intrusion Detection and Prevention System
Read the Full Spec
YALE-MSS-13: Logging
YALE-MSS-13: Logging
YALE-MSS-13.1: Ensure logging contains information required for incident response
Read the Full Spec
YALE-MSS-13.2: Log all authentication events
Read the Full Spec
YALE-MSS-13.3: Ensure logs are forwarded to a log server in addition to the in-scope system
Read the Full Spec
YALE-MSS-13.4: Collect and review all source system activity logs
Read the Full Spec
YALE-MSS-14: Security Incident Reporting
YALE-MSS-14: Security Incident Reporting