Skip to main content

Streamlining the Minimum Security Standards

Laptop, screen, and phone with digital padlock

On March 15, the Information Security Office (ISO) will publish a reorganized version of Yale's Minimum Security Standards (MSS). The purpose of this reorganization is to improve comprehension and reduce redundancy. The requirements in the MSS have not changed.

 

What is changing?  

  • Consolidated Standards Groups (Yale-MSS-X) from 16 to 14. A crosswalk showing this consolidation can be found below.
  • Reworded and consolidated standards (Yale-MSS-X.Y).
  • Refreshed MSS webpages organized based on roles and their interactions with the MSS.
  • Clarified language throughout the MSS and its supporting web pages.

What is not changing?

The requirements in the MSS have not changed. If a system is in compliance today, it will still be in compliance on March 15th. ISO will make an archive of the current version available for viewing for a limited time.

 

 

Old Standard Groups New Standard Groups
Yale-MSS-1:
Know Your Security Requirements
Yale-MSS-1:
System Classification
Yale-MSS-2:
Inventory the System
Yale-MSS-2:
System Inventory
Yale-MSS-3:
Plan for Disaster Recovery (DR)
Yale-MSS-3:
Disaster Recovery (DR)
Yale-MSS-4:
Physically Secure the System
Yale-MSS-4:
Physical Security
Yale-MSS-5:
Secure Configuration of Hardware & Software
Yale-MSS-5:
Software Security
Yale-MSS-6:
Use Supported Software
 
Yale-MSS-7:
Ensure Routine and Timely Patching
Yale-MSS-6: Patching
Yale-MSS-8:
Protect the Data
Yale-MSS-7:
Data Protection
Yale-MSS-9:
Develop and Maintain Secure Software
Yale-MSS-8:
Application Development Security
Yale-MSS-10:
Manage Access to the System
Yale-MSS-9:
Authentication and Authorization
Yale-MSS-11:
Control the Use of Privileged Accounts
 
Yale-MSS-12:
Secure the Network and Control Network Ports
Yale-MSS-10:
Network Exposure
Yale-MSS-13:
Training
Yale-MSS-11:
Security Training
Yale-MSS-14:
Implement Methods of Intrusion Detection
Yale-MSS-12:
Intrusion Detection
Yale-MSS-15:
Collect and Preserve Audit Logs
Yale-MSS-13:
Logging
Yale-MSS-16:
Respond To and Manage Security Incidents
Yale-MSS-14:
Security Incident Response

 

Download as PDF

Download previous version of MSS

 

The future of the MSS

Yale's Minimum Security Standards (MSS) are based on Yale's dynamic risk landscape. As risks evolve, so does the MSS. ISO’s goal is to continue to improve the MSS to reflect this relationship. When requirements change, the appropriate communications will be sent in advance. This advance notice will allow for planning to meet any new, applicable requirements.

In the interim, ISO will continue to work to clarify these standards and provide more guidance. Contact information.security@yale.edu with any questions or comments that would help clarify any and all parts of the MSS.

The future of MSS Training

Over the past two years, ISO provided the MSS Roadshow training. This training was successfully offered to all IT at Yale. The foundational course, MSS 101, will continue to be offered in an online format. Going forward, MSS training will evolve to a series of MSS Lunch and Learns.  

These Lunch and Learns will cover one MSS Standards Group at a time. They will feature a subject matter expert based on the Standards Group being covered. Please attend and encourage your team members to attend these events. There will be an opportunity to ask questions about applying the MSS to IT Systems at Yale.  

For any questions or concerns about the MSS Reorganization, please email information.security@yale.edu.  

Thank you for your ongoing commitment to doing your part in protecting Yale’s data and systems.