Security Policies

Policy Quick Links

Vanderbilt University has developed information security policies and standards to protect university data and systems. These policies are applicable to the entire Vanderbilt community and should be revisited often to make sure that you are informed and aligned.

For a 1-page policy summary and list of commonly asked questions, see the Reference Guide and FAQ page.

The table lists approved security policies and their associated standards.

Policy NameKey Topics IncludedAssociated Standard or Guideline NameKey Topics
Appropriate Use of Technology Assets Policy
  • General use and ownership expectations
  • Privacy policy reference
  • Intellectual property, copyright infringement
  • User fiduciary responsibilities
  • Guest network access
    		• BYOD Standard
  • Roles and responsibilities
  • Device security and usage expectations
    		•
    Inappropriate Use of Tech Assets Standard
  • Prohibited activities using VU systems, networks, email, and social media
    		•
    Disaster Recovery Policy
  • Recovery tiers
  • RTO, RPO, MTD
  • Backups and recovery testing
    		•
    Identity and Access Management Policy
  • Account lifecycle: create, review, disable, delete
  • Authentication: passwords and MFA
  • Access control: least privilege, RBAC
    		•
    Incident Response Policy
  • What, when, and how to report incidents
  • Incident response investigations and activities
    		•
    Information Security Policy
  • Information Security Principles
  • Governance framework
  • Security training requirement
  • Policy exceptions handling
    		• Security Training Standard
  • Training descriptions, intended audience, and frequency
  • Social engineering (e.g., phishing test)
    		•
    Encryption Standard
  • Algorithms/protocols for data at rest and in transit
  • Encryption key mgmt.
    		•
    Secure Configuration Management Policy
  • Secure baseline configurations for varying OS versions
  • Monitoring for deviation from baselines
  • Baseline version maintenance and change control
    		• Email Security Standard
  • Appropriate email use expectations
  • Approved email domains and servers
  • Mass forwarding to non-VU domains
  • Secure configuration of email servers, including approved email protocols
    		•
    Network Security Standard
  • Secure configuration of network devices
  • Network segmentation and isolation
  • Network logging
  • Boundary protection and firewall mgmt.
  • Public IP allocation
  • Remote access
    • Secure IT Asset Management Policy
  • IT asset definition
  • Secure mgmt. roles and responsibilities
  • Secure mgmt. lifecycle - create/acquire, maintain/operate, destroy/retire
  • Central IT asset inventory
    		• Secure IT Asset Management Standard
  • Details about an IT asset that must be in the central IT asset inventory
    		•
    Media Sanitization Guideline
  • Media sanitization decision flow
  • Sanitization method examples
  • List of VU processes for media sanitization
    		•
    Security Logging and Monitoring Policy
  • Security monitoring and visibility, Endpoint Detection and Response
  • Security logging, Security Information and Event Management (SIEM)
    		•
    Security Risk Management Policy
  • Security risk assessment triggers and criteria
  • Risk exposure, remediation, and escalation
    • Vulnerability Management Policy
  • Vulnerability scanning and remediation
  • Threat intelligence gathering
  • Penetration testing
    		• Vulnerability Management Standard
  • Vulnerability mgmt. process
  • Severity levels and remediation schedule
    		•

    question icon

    Not sure how to start?

    Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.

    Get Security Help