Have questions about Yale’s Minimum Security Standards (MSS)? Do you know how to apply the MSS to your IT Systems? The MSS Lunch & Learns will feature subject matter experts from the Information Security Office who will provide discussions around:
- Each of the 14 MSS standards groups
- How to apply the MSS to systems you manage or support
- Completing an MSS review
- Preparing for a Security Planning Assessment (SPA)
What are the Minimum Security Standards (MSS)?
The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems to ensure we build and maintain secure Yale IT Systems based on the risk they carry. A Yale IT System is a system that uses Yale data and/or operates in support of Yale’s mission. All Yale IT Systems must meet and adhere to the MSS.
What are the MSS Lunch & Learns?
The MSS Lunch & Learns will provide opportunities to learn from subject matter experts on each of the 14 MSS standards groups. Each session will offer a review of specific standards groups.
Each session will start with a discussion on the standards group(s). We encourage you to come with your specific questions that can be addressed in the Q&A session of the Lunch and Learn.
The table, below, provides details about each session including:
- The standards group(s) covered
- A brief description of the information to be covered
- The scheduled date for the session
Who should attend the MSS Lunch & Learns?
The MSS Lunch & Learns are open to anyone interested in learning more about the MSS or how they apply to the SPA process.
The sessions will provide critical information about applying the MSS to an IT System and conducting an MSS review. You should plan to attend the MSS Lunch & Learns if either of the following apply:
- You are a system decision maker planning a new system or an update to an existing system
- You are a system support provider configuring a system you support
For more details on these roles see What is my role in applying the MSS at Yale? on Yale's Minimum Security Standards (MSS) webpage.
MSS Lunch & Learn Schedule
| Standards Group(s) | Description | Date | Registration Link | Presentation Slides |
|---|---|---|---|---|
|
YALE-MSS-1: YALE-MSS-11: |
Know your requirements based on the system type and risk classification. If your risk classification changes over time, your requirements will change. This category is a prerequisite to meeting and maintaining the rest of the MSS. Ensure users and third-party vendors know the role they play in the IT System’s security. This can be how they use and/or support the system securely. |
April 17, 2024 | Registration closed | Download presentation |
|
YALE-MSS-2: YALE-MSS-3: YALE-MSS-10: YALE-MSS-12: |
Know what your security requirements apply to. This category is a prerequisite to risk classification and meeting the MSS. Create a step-by-step procedure to restore the IT System in the event of a disruption. Test the plan to ensure it is successful and meets your availability requirement or recovery time objective (RTO). Determine network security for the IT Systems that connect to the network. The goal of this category is to limit network exposure. |
May 15, 2024 | Register | |
|
YALE-MSS-4: YALE-MSS-7: |
Ensure the system is physically secured based on its risk classification. These controls will vary based on where the system is physically located. Ensure data protection controls are in place. This includes how the data is encrypted, backed up, and used securely by the IT System. |
June 12, 2024 | Register | |
| YALE-MSS-5: Software Security |
Make security-conscious choices for configuring your software, and firmware. This includes running supported operating systems and software for commercial, in-house, and open-source software. | July 17, 2024 | Register | |
| YALE-MSS-6: Patching |
Ensure a process is in place to apply security updates (a.k.a. patches) routinely and actively. This includes establishing an emergency patch process for critical vulnerabilities. | August 21, 2024 | Register | |
| YALE-MSS-8: Application Development Security |
Implement secure software development lifecycle (SDLC) practices when deploying software and applications. This includes testing for common security flaws. | September 18, 2024 | Register | |
| YALE-MSS-9: Authentication and Authorization |
Manage authentication and authorization lifecycle management for user and privileged accounts. | October 16, 2024 | Register | |
| YALE-MSS-13: Logging |
Ensure all system components are logging relevant security data. Preserve relevant security data in the event of an incident. | November 13, 2024 | Register | |
| How to Complete the SPA Process | Learn about the SPA process including how to prepare, how to request, and what to expect throughout the process. | December 18, 2024 | Register |
Additional Resources
Yale's Minimum Security Standards
The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS helps us address Yale’s risk landscape and deliver the Yale mission securely.
Applying the MSS to IT Systems
This page explains how to read, understand, and apply the Minimum Security Standards (MSS) to a system.
Security Planning Assessment (SPA)
The SPA process establishes the security of Yale IT Systems. The process also ensures you have a plan to operate a secure IT System through the life span of the system.