Security Policies

Vanderbilt University has developed information security policies and standards to protect university data and systems. These policies are applicable to the entire Vanderbilt community and should be revisited often to make sure that you are informed and aligned.

For a 1-page cheat sheet summary and a list of commonly asked questions, see the cheat sheet and FAQ page. 

Cybersecurity Policy Cheat Sheet & FAQ page

See the below table for a full listing of approved security policies and their associated standards. Note that each policy has an effective date listed in the Administrative Information section. The effective date is when full compliance is expected

Policy NameKey TopicsAssociated Standard or Guideline NameKey Topics
Appropriate Use of Technology Assets Policy
  • General use and ownership expectations
  • Privacy policy reference
  • Intellectual property, copyright infringement
  • User fiduciary responsibilities
  • Guest network access
  • BYOD Standard

  • Inappropriate Use of Tech Assets Standard
  • Roles and responsibilities
  • Device security and usage expectations

  • Prohibited activities using VU systems, networks, email, and social media

  • Disaster Recovery Policy
  • Recovery tiers
  • Backups and recovery testing
  • Identity and Access Management Policy
  • Account lifecycle - create, review, disable, delete
  • Authentication – passwords and MFA
  • Access control - least privilege, RBAC
  • Incident Response Policy
  • What, when, and how to report incidents
  • Incident response investigations and activities
  • Information Security Policy
  • Information Security Principles
  • Governance framework
  • Security training requirement
  • Policy exceptions handling
  • Security Training Standard

  • Encryption Standard
  • Training descriptions, intended audience, and frequency
  • Social engineering (e.g., phishing test)

  • Data at rest and data in transit
  • Encryption key mgmt.
  • Secure Configuration Management Policy
  • Secure baseline configurations for varying OS versions
  • Monitoring for deviation from baselines
  • Baseline version maintenance and change control
  • Email Security Standard

  • Network Security Standard
  • Appropriate email use expectations
  • Approved email domains and servers
  • Mass forwarding to non-VU domains
  • Secure configuration of email servers, including approved email protocols

  • Secure configuration of network devices
  • Network segmentation and isolation
  • Network logging
  • Boundary protection and firewall mgmt.
  • Public IP allocation
  • Remote access
  • Secure IT Asset Management Policy
  • IT asset definition
  • Secure mgmt. roles and responsibilities
  • Secure mgmt. lifecycle - create/acquire, maintain/operate, destroy/retire
  • Central IT asset inventory
  • Secure IT Asset Management Standard

  • Media Sanitization Guideline
  • Details about an IT asset that must be in the central IT asset inventory

  • Media sanitization decision flow
  • Sanitization method examples
  • List of VU processes for media sanitization
  • Security Logging and Monitoring Policy
  • Security monitoring and visibility, Endpoint Detection and Response
  • Security logging, Security Information and Event Management (SIEM)
  • Security Risk Management Policy
  • Security risk assessment triggers and criteria
  • Risk exposure, remediation, and escalation
  • Vulnerability Management Policy
  • Vulnerability scanning and remediation
  • Threat intelligence gathering
  • Penetration testing
  • Vulnerability Management Standard
  • Vulnerability mgmt. process
  • Severity levels and remediation schedule
  • question icon

    Not sure how to start?

    Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.

    Get Security Help