Skip to main content
Finger touching virtual lock

Yale's Minimum Security Standards

 

 

MSS User

The Minimum Security Standards (MSS) are how we protect Yale IT Systems based on risk. The MSS helps us address Yale's risk landscape and deliver the Yale mission securely.

Everyone plays a role in understanding and applying the MSS at Yale. To do this, you'll need to:

  • Know what the Minimum Security Standards (MSS) are.
  • Know the risk of the work you do.
  • Know your role in implementing the MSS.

 

The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems. The MSS ensures we build and maintain secure Yale IT Systems based on the risk they carry.

You can view the MSS in one of three ways:

 

List icon

MSS List

View Yale's Minimum Security Standards

View the MSS list
Calculator icon

MSS Calculator

View the specific Minimum Security Standards for your system.

Use the MSS calculator
Download icon

MSS Download

Download the full list of Minimum Security Standards in CSV format. Please allow a few minutes for the download to complete.

Download the MSS

When do the MSS apply?

A Yale IT System is any IT system that uses Yale data and/or operates in support of Yale’s mission. This includes: 

  • The laptop, desktop, tablet, or mobile device you use to complete your work for Yale.
  • The software and applications you use to access, store, or send your work for Yale.
  • IT Systems hosted at Yale (i.e. built and ran by Central IT or a department)
  • IT Systems hosted by a third party (i.e. cloud applications, third-party services).
  • All environments that access Yale data. If real Yale data is being put in development or test environments, those environments must meet the MSS.

How do the MSS work? 

The MSS are baseline security requirements for all systems accessing Yale Data. We apply the Minimum Security Standards based on: 

  • the type of system you’re working with, and
  • the risk level of the work you are doing (a.k.a. risk classification) 

System Type 

To apply the MSS to what you’re doing, you need to determine what system type you are working with. The MSS requirements apply to four system types:

System Type Definition Examples
Endpoint  An endpoint is any device that is physically an endpoint on a network. This means it communicates back and forth with the network it connects to. Endpoints do not host any network resources for other endpoints to connect to. Desktops, laptops, POS Terminals
Server A server is a computer that processes requests and/or delivers data to other computers. A server processes requests or delivers data over the network it connects to. Servers share network resources with endpoints.  Web, file, email, and database servers including virtual machines and containers running at Yale or in cloud providers like AWS, GCP, Azure.
Mobile Device A mobile device is a portable, usually handheld, computer. Like endpoints, a mobile device communicates with the network it connects to. Mobile devices differ from endpoints in that they usually run mobile operating systems. These mobile operating systems have varying security requirements from endpoint. Smartphones, tablets
Network Printer

A network printer is a printer connected to a network. Network printers receive their print jobs via a print server. 

Note: This does not include personal printers. Personal printers process print jobs through a physical connection to an endpoint. 

Papercut Printers

 

Some Yale IT Systems are too complex in nature to solely rely on the MSS for their security requirements. We refer to these system types as “Critical IT Infrastructure”. The definition and requirements of Critical IT Infrastructure are found in Yale-MSS-1.4.

Know Your Risk / Risk Classification 

The second factor for applying the MSS is the risk of the work you’re doing. We refer to this as “Know Your Risk” or “risk classification”. Yale has three risk classification levels: high, moderate, and low. Risk classification is determined by:

  • The risk level of the data you’re working with. This is based on Yale’s Data Classification Policy.
  • How long you can be without the data or system to do your work (a.k.a. availability requirement). 
  • If the data is subject to any external obligations (e.g. HIPAA, PCI). 

For more information on finding your risk level, see our Risk Classification Guideline

Once you know your system type and risk classification, you know which Minimum Security Standards you must meet. 

Examples

If you are using your laptop to access Yale data...

You know you have to meet the MSS for endpoints. You also need to meet the MSS for the risk of the work you are doing. So, for example, if you are using your laptop to access financial data, you are working with High Risk data. Your laptop would need to meet the High Risk MSS for endpoints.

If you are building an application to store Yale data...

You know you must meet the MSS for servers. You also need to meet the MSS for the risk of the data being stored. So, for example, if the application will be used by a researcher to store publicly available research data, the application needs to meet the Low Risk MSS for servers.

 

What is my role in applying the MSS at Yale?

What you need to know is based on how you interact with Yale Data and IT Systems. We have chosen the following roles for implementing the MSS. You can be one, some, or all these roles depending on how you work at the University.

Once you know your role, choose the corresponding guideline to help you apply the MSS at Yale.

 

Role Description Guideline
Users

Users are anyone who works with Yale Data or IT Systems.

Users must know the risk of the work they are doing and use systems that meet the MSS for that risk level.

MSS for Users and User Support Providers
User Support Provider

A user support provider is someone who helps users with IT or Information Security issues. This includes anyone who identifies their role as an IT Support Provider.

User support providers help users work securely by helping them find systems that match their risk level.

MSS for Users and User Support Providers
System Decision Maker

A system decision maker is the person responsible for the technical delivery of a Yale IT system. System decision makers are also known as the technical owner of systems.

System decision makers are responsible for ensuring their system meets the Minimum Security Standards based on the system type and risk level.

Applying the MSS to IT Systems
System Support Provider

A system support provider is someone who provides support to a Yale IT system. This can be anyone who builds, hosts, or maintains a Yale IT System.

System support providers are the ones configuring the system they support to meet the MSS.

Applying the MSS to IT Systems

 

 

Below is a collection of resources to help you understand and apply the MSS at Yale. 
 

MSS for Users and User Support Providers

This page helps users understand how Yale’s Minimum Security Standards (MSS) apply to their everyday work at Yale.

View the MSS for Users and User Support Providers page

Applying the MSS to IT Systems

This page explains how to read, understand, and apply the Minimum Security Standards (MSS) to a system.

View the Applying the MSS to IT Systems page

MSS Key

Once you know your system type and classification, use the key to know which MSS apply to your IT System.

View the MSS key

MSS Calculator

The MSS Calculator helps you narrow down the MSS to only the requirements that apply to your IT System.

View the MSS calculator

Full MSS List

The Minimum Security Standards (MSS) are baseline requirements for securing Yale IT Systems.

View the full MSS list

Know Your Risk Toolkit

When you know the risk classification of the data and IT Systems you use, you will know if you are working securely.

View the Know Your Risk toolkit