Skip to main content
Finger touching virtual lock

MSS for Users and User Support Providers

This page helps users understand how Yale’s Minimum Security Standards (MSS) apply to their everyday work at Yale.

If you’re on this page, it is because you are:

  • A user of Yale data or systems trying to figure out how to apply the MSS to the work you do.
  • A user support provider trying to help the users you support apply the MSS to the work they do.

 

Overview  

Yale’s Data Classification Policy holds users of Yale Data responsible for:

  • Understanding Yale’s data classifications
  • Considering how these classifications apply to the Yale Data under their control
  • Implement the MSS for each classification

But what does that really mean?

It means that anyone using Yale’s data must:

  • Know the risk level of that data
  • Use IT Systems that are designed to secure that risk

This guide helps users understand how to ensure they are working securely (a.k.a applying the MSS) to the work they are doing every day. If you’re a user support provider, this guide helps you navigate the conversations with your users to help them work securely.

 

MSS for Users

A user is anyone who works with Yale Data or systems to complete work for the University. Examples include researchers, faculty, administrative staff, and student workers.

What are users responsible for?

Users are responsible for:

  • Knowing the risk classification of the work they are doing.
  • Ensuring the system they are using is designed to protect that level of data.

Knowing the risk classification of the work they are doing.

This includes:

The risk classification of the IT System is the highest risk level derived from these three factors. You can determine the risk classification by using the chart below:

Data Classification High, Moderate, Low
Availability Requirement High, Moderate, Low
External Obligations HIPAA, PCI, FERPA, others
Risk Classification Highest risk value of three factors above

 

For more details visit our Risk Classification Guideline.

Ensuring the system they are using is designed to protect that level of data.

This can include, but is not limited to:

  • The computer (laptop, desktop, tablet, smartphone) you use to access that data.
  • The applications you use to work with that data (e.g. your email application, an application or software specific to your department).
  • Where you store that data – whether you store this data on your device, in a cloud application, or somewhere else.

We call this “making your match”. For example, if you are working with High Risk data, you want to make sure the devices and applications are designed to protect High Risk data. You can work with your user support provider to help you make this match.

MSS for User Support Providers

A user support provider is someone who helps users with IT or Information Security issues. This includes anyone who identifies their role as an IT Support Provider. Examples of this are Distributed Support Providers (DSPs) and IT Partners.

What are user support providers responsible for?

User support providers are responsible for helping users work securely. This means understanding their technology needs and the risk of the work the user is doing. User support providers do not decide the risk classification of the work the user is doing. They help the user:

  • Classify their work.
  • Find technology that is designed to secure that risk level of work.

We also refer to this as helping the user “make their match”.

 

Two puzzle pieces square

Make Your Match

The concept of “make your match” helps us to navigate risk classification and the MSS.

If you are a user...

It is your responsibility to “make your match”. This means classifying your work as high, moderate, or low risk. To ensure you’re working securely, you then “match” the risk of your work with a system that protects that level of risk.

If you’re a user support provider...

You help users find the right system for their risk level. This matching concept can help you navigate the conversation with your users.

[Insert make your match info from Know Your Risk Toolkit, starting with the section “two ways to make your match”]

 

Two ways to make your match

Choose an existing service that matches the classification of your work.

Yale maintains a list of commonly used services by risk classification. To view this list, see the webpage Risk Classification of Commonly Used Services at Yale.

Build or purchase a new system and ensure it meets the Minimum Security Standards for your risk level.

For details on understanding and applying the MSS, view Yale's MSS webpage.

 

Make Your Match Example

As an example, let’s consider a group of users that needs to store High Risk data files securely. They can either:

Choose an existing service. For example, Microsoft Teams is a file sharing and storage service that is classified for High Risk data.

Build or purchase their own service. The service must be configured to meet the High Risk Minimum Security Standards.

No matter what option the group chooses, they are working securely! This is because they are either using an existing service or configuring a new one that will meet the MSS for the classification of their work (High Risk).

Can I store High Risk data in a Moderate Risk service?

What if this group wanted to use Yale Box? Yale Box is only built to secure Moderate Risk data. If you find you are currently accessing or storing data in a service that is not protected for your risk level or higher, talk to your supervisor. As a member of the Yale community, we all have a responsibility to protect Yale's data.

 

Below is a collection of resources to help you understand and apply the MSS at Yale. 
 

Yale's Minimum Security Standards

The Minimum Security Standards (MSS) are how we protect Yale IT Systems based on risk.

Visit Yale's Minimum Security Standards page

Applying the MSS to IT Systems

This page explains how to read, understand, and apply the Minimum Security Standards (MSS) to a system.

View the Applying the MSS to IT Systems page

MSS Key

Once you know your system type and classification, use the key to know which MSS apply to your IT System.

View the MSS Key

MSS Calculator

The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System.

View the MSS calculator

Full MSS List

The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems.

View the full MSS list

Know Your Risk Toolkit

When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.

View the Know Your Risk toolkit