Minimum Security Standards

YALE-MSS-1: System Classification

YALE-MSS-1.1: Determine the system type and classify the IT system
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-1.2: Apply any additional security requirements required by external obligations
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-1.4: Designate and protect Critical IT Infrastructure
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-1.5: Plan for data recovery requirements
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-1.7: Complete a Security Planning Assessment (SPA)
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-2: System Inventory

YALE-MSS-2.1: Establish the scope of the IT System
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-3: Disaster Recovery (DR)

YALE-MSS-3.1: Create a Disaster Recovery Plan
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Upcoming Required for HIPAA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-3.2: Test the Disaster Recovery Plan
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Upcoming Required for HIPAA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-4: Physical Security

YALE-MSS-4.1: Physically secure the IT System
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Required

YALE-MSS-4.2: Ensure print jobs are secure
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Not Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Required

YALE-MSS-5: Software Security

YALE-MSS-5.1: Utilize an industry-standard secure configuration method
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Required for PCI Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-5.2: Utilize endpoint protection
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-5.3: Run supported hardware, software, and operating systems
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-5.4: Manage all changes to the system through a change control process
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-6: Patching

YALE-MSS-6.1: Apply security patches regularly
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-7: Data Protection

YALE-MSS-8: Application Development Security

YALE-MSS-8.1: Follow an appropriate secure development methodology when writing software
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Upcoming Required for IA High Risk Server Upcoming Required for IA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-9: Authentication and Authorization

YALE-MSS-9.1: All accounts must be uniquely authenticated
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.2: Utilize secure passwords for authentication
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.3: Provision access to IT systems and data according to the principle of least privilege
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.4: Deprovision accounts and access when roles and responsibilities change
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.5: Require Multifactor Authentication (MFA) for access to authenticated systems
Read the Full Spec

Low Risk Endpoint Required for IA Moderate Risk Endpoint Required for IA High Risk Endpoint Required for IA Low Risk Server Required for IA Moderate Risk Server Required for IA High Risk Server Required for IA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Required for IA Moderate Risk Network Printer Required for IA High Risk Network Printer Required for IA

YALE-MSS-9.6: Use University approved authentication methods
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-9.7: Secure and/or limit storage of authentication information
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.8: Allow only encrypted network protocols for authentication
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.9: Prevent brute force attacks
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Upcoming Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Upcoming Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Upcoming Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Upcoming

YALE-MSS-9.10: Use administrative and service accounts for their assigned function only
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-9.11: Disable direct logins for generic or administrative accounts
Read the Full Spec

Low Risk Endpoint Required for IA Moderate Risk Endpoint Required for IA High Risk Endpoint Required for IA Low Risk Server Required for IA Moderate Risk Server Upcoming Required for IA High Risk Server Upcoming Required for IA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Required for IA Moderate Risk Network Printer Upcoming Required for IA High Risk Network Printer Upcoming Required for IA

YALE-MSS-10: Network Exposure

YALE-MSS-10.1: Disable unneeded ports, protocols, and services
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-10.2: Configure host firewalls to deny all unsolicited inbound traffic by default
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-10.3: Use a private IP address if direct internet access is not required
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-11: Security Training

YALE-MSS-11.1: Require security training for all users of Yale Data and Yale IT Systems
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-12: Intrusion Detection

YALE-MSS-12.1: Capture inbound and outbound network flow data
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Required for IA Low Risk Server Required for IA Moderate Risk Server Upcoming Required for IA High Risk Server Upcoming Required for IA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Required for IA Moderate Risk Network Printer Upcoming Required for IA High Risk Network Printer Upcoming Required for IA

YALE-MSS-12.2: Use a network firewall to control traffic
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-12.3: Implement an Intrusion Detection and Prevention System
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-13: Logging

YALE-MSS-13.1: Ensure logging contains information required for incident response
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-13.2: Log all authentication events
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-13.3: Ensure logs are forwarded to a log server in addition to the in-scope system
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Upcoming High Risk Server Upcoming Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-13.4: Collect and review all system activity logs
Read the Full Spec

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-14: Security Incident Reporting

YALE-MSS-14.1: Report any suspected security incidents to the Information Security Team
Read the Full Spec

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

YALE-MSS-14.2: Identify the system's primary security contact
Read the Full Spec

Low Risk Endpoint Upcoming Moderate Risk Endpoint Upcoming High Risk Endpoint Upcoming Low Risk Server Upcoming Moderate Risk Server Upcoming High Risk Server Upcoming Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

YALE-MSS-1.1: Determine the system type and classify the IT system Read the Full Spec

YALE-MSS-1.2: Apply any additional security requirements required by external obligations Read the Full Spec

YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place Read the Full Spec

YALE-MSS-1.4: Designate and protect Critical IT Infrastructure Read the Full Spec

YALE-MSS-1.5: Plan for data recovery requirements Read the Full Spec

YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System Read the Full Spec

YALE-MSS-1.7: Complete a Security Planning Assessment (SPA) Read the Full Spec

YALE-MSS-2.1: Establish the scope of the IT System Read the Full Spec

YALE-MSS-3.1: Create a Disaster Recovery Plan Read the Full Spec

YALE-MSS-3.2: Test the Disaster Recovery Plan Read the Full Spec

YALE-MSS-4.1: Physically secure the IT System Read the Full Spec

YALE-MSS-4.2: Ensure print jobs are secure Read the Full Spec

YALE-MSS-5.1: Utilize an industry-standard secure configuration method Read the Full Spec

YALE-MSS-5.2: Utilize endpoint protection Read the Full Spec

YALE-MSS-5.3: Run supported hardware, software, and operating systems Read the Full Spec

YALE-MSS-5.4: Manage all changes to the system through a change control process Read the Full Spec

YALE-MSS-6.1: Apply security patches regularly Read the Full Spec

YALE-MSS-7.1: Back up required data Read the Full Spec

YALE-MSS-7.2: Encrypt all electronic storage devices Read the Full Spec

YALE-MSS-7.3: Encrypt data in transit Read the Full Spec

YALE-MSS-7.4: Re-use or dispose of systems securely Read the Full Spec

YALE-MSS-7.5: Ensure proper key life cycle management Read the Full Spec

YALE-MSS-7.6: Delete data when it is no longer required Read the Full Spec

YALE-MSS-7.7: Utilize host Data Loss Prevention (DLP) Read the Full Spec

YALE-MSS-7.8: Use inactivity locks Read the Full Spec

YALE-MSS-7.9: Store Yale Data within the United States Read the Full Spec

YALE-MSS-7.10: Secure Bluetooth at all times Read the Full Spec

YALE-MSS-7.11: Enroll in a remote wipe capability Read the Full Spec

YALE-MSS-7.12: Do not circumvent device security Read the Full Spec

YALE-MSS-8.1: Follow an appropriate secure development methodology when writing software Read the Full Spec

YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system Read the Full Spec

YALE-MSS-9.1: All accounts must be uniquely authenticated Read the Full Spec

YALE-MSS-9.2: Utilize secure passwords for authentication Read the Full Spec

YALE-MSS-9.3: Provision access to IT systems and data according to the principle of least privilege Read the Full Spec

YALE-MSS-9.4: Deprovision accounts and access when roles and responsibilities change Read the Full Spec

YALE-MSS-9.5: Require Multifactor Authentication (MFA) for access to authenticated systems Read the Full Spec

YALE-MSS-9.6: Use University approved authentication methods Read the Full Spec

YALE-MSS-9.7: Secure and/or limit storage of authentication information Read the Full Spec

YALE-MSS-9.8: Allow only encrypted network protocols for authentication Read the Full Spec

YALE-MSS-9.9: Prevent brute force attacks Read the Full Spec

YALE-MSS-9.10: Use administrative and service accounts for their assigned function only Read the Full Spec

YALE-MSS-9.11: Disable direct logins for generic or administrative accounts Read the Full Spec

YALE-MSS-10.1: Disable unneeded ports, protocols, and services Read the Full Spec

YALE-MSS-10.2: Configure host firewalls to deny all unsolicited inbound traffic by default Read the Full Spec

YALE-MSS-10.3: Use a private IP address if direct internet access is not required Read the Full Spec

YALE-MSS-11.1: Require security training for all users of Yale Data and Yale IT Systems Read the Full Spec

YALE-MSS-12.1: Capture inbound and outbound network flow data Read the Full Spec

YALE-MSS-12.2: Use a network firewall to control traffic Read the Full Spec

YALE-MSS-12.3: Implement an Intrusion Detection and Prevention System Read the Full Spec

YALE-MSS-13.1: Ensure logging contains information required for incident response Read the Full Spec

YALE-MSS-13.2: Log all authentication events Read the Full Spec

YALE-MSS-13.3: Ensure logs are forwarded to a log server in addition to the in-scope system Read the Full Spec

YALE-MSS-13.4: Collect and review all system activity logs Read the Full Spec

YALE-MSS-14.1: Report any suspected security incidents to the Information Security Team Read the Full Spec

YALE-MSS-14.2: Identify the system's primary security contact Read the Full Spec

YALE-MSS-1.1: Determine the system type and classify the IT system
Read the Full Spec

YALE-MSS-1.2: Apply any additional security requirements required by external obligations
Read the Full Spec

YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place
Read the Full Spec

YALE-MSS-1.4: Designate and protect Critical IT Infrastructure
Read the Full Spec

YALE-MSS-1.5: Plan for data recovery requirements
Read the Full Spec

YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System
Read the Full Spec

YALE-MSS-1.7: Complete a Security Planning Assessment (SPA)
Read the Full Spec

YALE-MSS-2.1: Establish the scope of the IT System
Read the Full Spec

YALE-MSS-3.1: Create a Disaster Recovery Plan
Read the Full Spec

YALE-MSS-3.2: Test the Disaster Recovery Plan
Read the Full Spec

YALE-MSS-4.1: Physically secure the IT System
Read the Full Spec

YALE-MSS-4.2: Ensure print jobs are secure
Read the Full Spec

YALE-MSS-5.1: Utilize an industry-standard secure configuration method
Read the Full Spec

YALE-MSS-5.2: Utilize endpoint protection
Read the Full Spec

YALE-MSS-5.3: Run supported hardware, software, and operating systems
Read the Full Spec

YALE-MSS-5.4: Manage all changes to the system through a change control process
Read the Full Spec

YALE-MSS-6.1: Apply security patches regularly
Read the Full Spec

YALE-MSS-7.1: Back up required data
Read the Full Spec

YALE-MSS-7.2: Encrypt all electronic storage devices
Read the Full Spec

YALE-MSS-7.3: Encrypt data in transit
Read the Full Spec

YALE-MSS-7.4: Re-use or dispose of systems securely
Read the Full Spec

YALE-MSS-7.5: Ensure proper key life cycle management
Read the Full Spec

YALE-MSS-7.6: Delete data when it is no longer required
Read the Full Spec

YALE-MSS-7.7: Utilize host Data Loss Prevention (DLP)
Read the Full Spec

YALE-MSS-7.8: Use inactivity locks
Read the Full Spec

YALE-MSS-7.9: Store Yale Data within the United States
Read the Full Spec

YALE-MSS-7.10: Secure Bluetooth at all times
Read the Full Spec

YALE-MSS-7.11: Enroll in a remote wipe capability
Read the Full Spec

YALE-MSS-7.12: Do not circumvent device security
Read the Full Spec

YALE-MSS-8.1: Follow an appropriate secure development methodology when writing software
Read the Full Spec

YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system
Read the Full Spec

YALE-MSS-9.1: All accounts must be uniquely authenticated
Read the Full Spec

YALE-MSS-9.2: Utilize secure passwords for authentication
Read the Full Spec

YALE-MSS-9.3: Provision access to IT systems and data according to the principle of least privilege
Read the Full Spec

YALE-MSS-9.4: Deprovision accounts and access when roles and responsibilities change
Read the Full Spec

YALE-MSS-9.5: Require Multifactor Authentication (MFA) for access to authenticated systems
Read the Full Spec

YALE-MSS-9.6: Use University approved authentication methods
Read the Full Spec

YALE-MSS-9.7: Secure and/or limit storage of authentication information
Read the Full Spec

YALE-MSS-9.8: Allow only encrypted network protocols for authentication
Read the Full Spec

YALE-MSS-9.9: Prevent brute force attacks
Read the Full Spec

YALE-MSS-9.10: Use administrative and service accounts for their assigned function only
Read the Full Spec

YALE-MSS-9.11: Disable direct logins for generic or administrative accounts
Read the Full Spec

YALE-MSS-10.1: Disable unneeded ports, protocols, and services
Read the Full Spec

YALE-MSS-10.2: Configure host firewalls to deny all unsolicited inbound traffic by default
Read the Full Spec

YALE-MSS-10.3: Use a private IP address if direct internet access is not required
Read the Full Spec

YALE-MSS-11.1: Require security training for all users of Yale Data and Yale IT Systems
Read the Full Spec

YALE-MSS-12.1: Capture inbound and outbound network flow data
Read the Full Spec

YALE-MSS-12.2: Use a network firewall to control traffic
Read the Full Spec

YALE-MSS-12.3: Implement an Intrusion Detection and Prevention System
Read the Full Spec

YALE-MSS-13.1: Ensure logging contains information required for incident response
Read the Full Spec

YALE-MSS-13.2: Log all authentication events
Read the Full Spec

YALE-MSS-13.3: Ensure logs are forwarded to a log server in addition to the in-scope system
Read the Full Spec

YALE-MSS-13.4: Collect and review all system activity logs
Read the Full Spec

YALE-MSS-14.1: Report any suspected security incidents to the Information Security Team
Read the Full Spec

YALE-MSS-14.2: Identify the system's primary security contact
Read the Full Spec