On March 15, the Information Security Office (ISO) will publish a reorganized version of Yale's Minimum Security Standards (MSS). The purpose of this reorganization is to improve comprehension and reduce redundancy. The requirements in the MSS have not changed.
What is changing?
- Consolidated Standards Groups (Yale-MSS-X) from 16 to 14. A crosswalk showing this consolidation can be found below.
- Reworded and consolidated standards (Yale-MSS-X.Y).
- Refreshed MSS webpages organized based on roles and their interactions with the MSS.
- Clarified language throughout the MSS and its supporting web pages.
What is not changing?
The requirements in the MSS have not changed. If a system is in compliance today, it will still be in compliance on March 15th. ISO will make an archive of the current version available for viewing for a limited time.
| Old Standard Groups | New Standard Groups |
|---|---|
| Yale-MSS-1: Know Your Security Requirements |
Yale-MSS-1: System Classification |
| Yale-MSS-2: Inventory the System |
Yale-MSS-2: System Inventory |
| Yale-MSS-3: Plan for Disaster Recovery (DR) |
Yale-MSS-3: Disaster Recovery (DR) |
| Yale-MSS-4: Physically Secure the System |
Yale-MSS-4: Physical Security |
| Yale-MSS-5: Secure Configuration of Hardware & Software |
Yale-MSS-5: Software Security |
| Yale-MSS-6: Use Supported Software |
|
| Yale-MSS-7: Ensure Routine and Timely Patching |
Yale-MSS-6: Patching |
| Yale-MSS-8: Protect the Data |
Yale-MSS-7: Data Protection |
| Yale-MSS-9: Develop and Maintain Secure Software |
Yale-MSS-8: Application Development Security |
| Yale-MSS-10: Manage Access to the System |
Yale-MSS-9: Authentication and Authorization |
| Yale-MSS-11: Control the Use of Privileged Accounts |
|
| Yale-MSS-12: Secure the Network and Control Network Ports |
Yale-MSS-10: Network Exposure |
| Yale-MSS-13: Training |
Yale-MSS-11: Security Training |
| Yale-MSS-14: Implement Methods of Intrusion Detection |
Yale-MSS-12: Intrusion Detection |
| Yale-MSS-15: Collect and Preserve Audit Logs |
Yale-MSS-13: Logging |
| Yale-MSS-16: Respond To and Manage Security Incidents |
Yale-MSS-14: Security Incident Response |
Download previous version of MSS
The future of the MSS
Yale's Minimum Security Standards (MSS) are based on Yale's dynamic risk landscape. As risks evolve, so does the MSS. ISO’s goal is to continue to improve the MSS to reflect this relationship. When requirements change, the appropriate communications will be sent in advance. This advance notice will allow for planning to meet any new, applicable requirements.
In the interim, ISO will continue to work to clarify these standards and provide more guidance. Contact information.security@yale.edu with any questions or comments that would help clarify any and all parts of the MSS.
The future of MSS Training
Over the past two years, ISO provided the MSS Roadshow training. This training was successfully offered to all IT at Yale. The foundational course, MSS 101, will continue to be offered in an online format. Going forward, MSS training will evolve to a series of MSS Lunch and Learns.
These Lunch and Learns will cover one MSS Standards Group at a time. They will feature a subject matter expert based on the Standards Group being covered. Please attend and encourage your team members to attend these events. There will be an opportunity to ask questions about applying the MSS to IT Systems at Yale.
For any questions or concerns about the MSS Reorganization, please email information.security@yale.edu.
Thank you for your ongoing commitment to doing your part in protecting Yale’s data and systems.