Minimum Security Standards
The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS ensures we build and maintain secure Yale IT Systems based on risk.
This is a representation of the complete Minimum Security Standards (MSS). This represents a consolidated list of all Yale's current security requirements. These requirements come from Yale's current security policies, procedures, and practices. To read more about the MSS and how it works, visit cybersecurity.yale.edu/mss.
To narrow down the MSS to the requirements for your IT System, use the MSS calculator. The MSS Calculator is located at cybersecurity.yale.edu/mss/calculator.
This reflects the streamlined MSS as of 3/15/2023. The purpose of this reorganization was to improve comprehension and reduce redundancy. The requirements in the MSS have not changed. To view details on this change or view the old version of the MSS, see our streamlining the MSS webpage located at cybersecurity.yale.edu/news/streamlining-minimum-security-standards.
YALE-MSS-1.1: Classify the IT System and meet the Minimum Security Standards
Read the Full Spec
YALE-MSS-1.2: Apply any additional security requirements required by external obligations
Read the Full Spec
YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place
Read the Full Spec
YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System
Read the Full Spec
YALE-MSS-2.2: Use a private IP address if direct internet access is not required
Read the Full Spec
YALE-MSS-5.4: Ensure all software is actively supported by a vendor or open-source project
Read the Full Spec
YALE-MSS-5.5: Manage all changes to the system through a change control process
Read the Full Spec
YALE-MSS-7.4: Recycle IT Systems using Yale's Environmental Health and Safety (EHS) Process
Read the Full Spec
YALE-MSS-7.6: All network traffic must use a strong, industry-standard encryption method
Read the Full Spec
YALE-MSS-8.1: Follow an appropriate secure development methodology when writing software
Read the Full Spec
YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system
Read the Full Spec
YALE-MSS-9.4: Grant privileges to IT Systems and data according to the principle of least privilege
Read the Full Spec
YALE-MSS-9.5: Deprovision accounts and access when roles & responsibilities change
Read the Full Spec
YALE-MSS-9.6: Require Multifactor Authentication (MFA) for access to authenticated systems
Read the Full Spec
YALE-MSS-9.8: Secure and/or limit storage of authentication information
Read the Full Spec
YALE-MSS-9.9: Allow only encrypted network protocols for authentication
Read the Full Spec
YALE-MSS-9.11: Use administrative and service accounts for their IT function only
Read the Full Spec
YALE-MSS-9.12: Ensure authentication events are associated with an individual and not just an administrative or service account
Read the Full Spec
YALE-MSS-10.1: Enable ports, protocols, and services on an as needed basis
Read the Full Spec
YALE-MSS-10.2: Configure host firewalls to deny all unsolicited inbound traffic by default
Read the Full Spec
YALE-MSS-10.3: Utilize host firewalls to control and log all inbound and outbound traffic
Read the Full Spec
YALE-MSS-11.1: Require security training for all users of Yale Data and Yale IT Systems
Read the Full Spec
YALE-MSS-12.2: Utilize a network firewall to allow the least amount of access possible
Read the Full Spec
YALE-MSS-13.1: Ensure logging contains information required for incident response
Read the Full Spec
YALE-MSS-13.3: Ensure logs are forwarded to a log server in addition to the in-scope system
Read the Full Spec
YALE-MSS-14.1: Report any suspected security incidents to the Information Security Team in a timely manner
Read the Full Spec