Information Security Policy

ADMINISTRATIVE INFORMATION

REASON FOR POLICY

This policy is intended to protect the information systems and services critical to academics, research, business operations, and the supported communities, including faculty, staff, students, and the public. These protections may be governed by legal, contractual, or University policy considerations. 

This policy establishes the shared responsibility for the University-wide information security governance and oversight to prevent misuse, damage, and unauthorized access (intentional and unintentional) of Vanderbilt-owned, Vanderbilt-purchased, or Vanderbilt-managed information assets (collectively called “VU Information Assets”). 

Information security policies will be reviewed on an ongoing basis with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles. 

SCOPE

This policy applies to the entire Vanderbilt University community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, post-doctoral trainees, temporary employees, and volunteers (collectively called “VU Community Members”). 

POLICY

1. INFORMATION SECURITY PRINCIPLES

  1. Secure and protect data – protecting the University and community’s personal, administrative, academic, and scholarly research data are top priority
  2. Promote resilience to cyber-attacks – driving excellence across people, process, and technology to make Vanderbilt resilient to cyber attacks
  3. Commit to information security as a shared responsibility – pursing a security aware culture with shared ownership amongst students, faculty, staff, and other stakeholders
  4. Ensure no harm is done to academic and research mission – enabling intellectual freedom and business needs through informed and risk-based decision-making 
  5. Fulfill our duty towards community and society – upholding our legal, regulatory and University security and privacy obligations
  6. Foster education and awareness – meeting our obligation to educate, inform, and enable Vanderbilt Community Members to use information in a secure and compliant manner.

2. POLICY STATEMENTS

  1. INFORMATION SECURITY GOVERNANCE AND OVERSIGHT
    1. VU Leadership under the guidance of Vanderbilt’s Board of Trust has established a University-wide information security program to manage cybersecurity and resiliency of Vanderbilt information systems under the direction of the Enterprise Risk Committee (ERC).
    2. Enterprise Risk Committee (ERC) actively owns the information security program. It provides direction and assignment of information security responsibilities in accordance with Vanderbilt-internal, legal, and regulatory requirements.
    3. Information Security Committee (ISC) and IT Risk Committee (IRC) are delegated governance entities responsible for operational oversight of the information security program.
  2. ROLES AND RESPONSIBILITIES
    1. Chief Information Security Officer (CISO) - responsible and has authority for governance and oversight for all information security relevant topics, activities, and policies across the University.
      1. Ensuring information security threats and vulnerabilities are identified and information security incidents are properly handled and responded to.
      2. Defining and implementing the information security training and awareness program to increase VU Personnel knowledge of information security responsibilities.
      3. Providing functional information security policies, standards, and guidelines aligned to NIST guidelines and standards (e.g., NIST CSF and NIST SP800-53).
      4. Establishing and enforcing security controls appropriate for safeguarding data based on the University’s Data Classification Policy.
    2. Vice Chancellors and Deans - responsible for ensuring information security policies are reviewed, appropriate security controls or processes are implemented, and personnel are compliant for their areas of information security;
    3. VU Community Members - responsible for adhering to this and related policies to the systems, technology, and data for which they access, transmit or store.
    4. Third-party Providers - responsible for compliance with all Vanderbilt information security and privacy controls. If non-public information is to be accessed or shared, these third parties should be bound by contract to abide by Vanderbilt’s information security and privacy controls.
  3. INFORMATION SECURITY AWARENESS AND TRAINING
    1. VU Community Members are responsible for completing cybersecurity training program requirements as defined by Security Training Standard.
  4. EXCEPTIONS HANDLING
    1. VU Community Members are responsible for submitting any exception requests to this and related functional policies to the CISO for risk assessment.
    2. The CISO, or a delegate, will grant or deny the request commensurate with the Security Risk Management Policy and the university-wide risk escalation protocol, and will document exception request details.
    3. If granted, the requesting VU Community Member is responsible for adhering to the conditions of the exception, which may include compensating controls or mitigating actions. The exception will remain granted for a period that is in keeping with the level of risk, but no more than one year. After the exception has expired, the VU Community Member must come into compliance or submit a request for renewal.
    4. If denied, the requesting VU Community Member is responsible for coming into compliance with information security policies and standards.

EXCEPTIONS

VU Chief Information Security Officer (CISO) shall be the primary contact for the interpretation, monitoring, and enforcement of this policy. VU Community Members are responsible for submitting any exception requests to this and related functional policies to the CISO for risk assessment and acknowledgement. CISO will work in collaboration with the VU Community Member(s) requesting exception to determine security risk and process the request. 

ENFORCEMENT

A user found to have violated this policy will be subject to appropriate disciplinary action. The Chief Information Security Officer will refer violations to university units, i.e., Student Accountability Office for students, the supervisor and Human Resources for staff, and the Dean of the relevant school for faculty or other teaching or research personnel, as appropriate. 

PROCEDURES

N/A

FREQUENTLY ASKED QUESTIONS

N/A

RELATED DOCUMENTS/POLICIES

ADDITIONAL CONTACTS

ContactEmail
The Office of Cybersecuritycybersecurity@vanderbilt.edu