Security Policies

Policy Quick Links

Vanderbilt University has developed information security policies and standards to protect university data and systems. These policies are applicable to the entire Vanderbilt community and should be revisited often to make sure that you are informed and aligned.

For a 1-page cheat sheet summary and a list of commonly asked questions, see the cheat sheet and FAQ page.

Cybersecurity Policy Cheat Sheet & FAQ page

View Here

See the below table for a full listing of approved security policies and their associated standards. Note that each policy has an effective date listed in the Administrative Information section. The effective date is when full compliance is expected

Policy Name	Key Topics	Associated Standard or Guideline Name	Key Topics
Appropriate Use of Technology Assets Policy	General use and ownership expectations Privacy policy reference Intellectual property, copyright infringement User fiduciary responsibilities Guest network access	BYOD Standard Inappropriate Use of Tech Assets Standard	Roles and responsibilities Device security and usage expectations Prohibited activities using VU systems, networks, email, and social media
Disaster Recovery Policy	Recovery tiers RTO, RPO, MTD Backups and recovery testing
Identity and Access Management Policy	Account lifecycle - create, review, disable, delete Authentication – passwords and MFA Access control - least privilege, RBAC
Incident Response Policy	What, when, and how to report incidents Incident response investigations and activities
Information Security Policy	Information Security Principles Governance framework Security training requirement Policy exceptions handling	Security Training Standard Encryption Standard	Training descriptions, intended audience, and frequency Social engineering (e.g., phishing test) Data at rest and data in transit Encryption key mgmt.
Secure Configuration Management Policy	Secure baseline configurations for varying OS versions Monitoring for deviation from baselines Baseline version maintenance and change control	Email Security Standard Network Security Standard	Appropriate email use expectations Approved email domains and servers Mass forwarding to non-VU domains Secure configuration of email servers, including approved email protocols Secure configuration of network devices Network segmentation and isolation Network logging Boundary protection and firewall mgmt. Public IP allocation Remote access
Secure IT Asset Management Policy	IT asset definition Secure mgmt. roles and responsibilities Secure mgmt. lifecycle - create/acquire, maintain/operate, destroy/retire Central IT asset inventory	Secure IT Asset Management Standard Media Sanitization Guideline	Details about an IT asset that must be in the central IT asset inventory Media sanitization decision flow Sanitization method examples List of VU processes for media sanitization
Security Logging and Monitoring Policy	Security monitoring and visibility, Endpoint Detection and Response Security logging, Security Information and Event Management (SIEM)
Security Risk Management Policy	Security risk assessment triggers and criteria Risk exposure, remediation, and escalation
Vulnerability Management Policy	Vulnerability scanning and remediation Threat intelligence gathering Penetration testing	Vulnerability Management Standard	Vulnerability mgmt. process Severity levels and remediation schedule

Not sure how to start?

Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.

Get Security Help