Security Policies

Policy Quick Links

Vanderbilt University has developed information security policies and standards to protect university data and systems. These policies are applicable to the entire Vanderbilt community and should be revisited often to make sure that you are informed and aligned.

For a 1-page policy summary and list of commonly asked questions, see the Reference Guide and FAQ page.

Cybersecurity Policy Reference Guide & FAQ page

The table lists approved security policies and their associated standards.

Policy Name	Key Topics Included	Associated Standard or Guideline Name	Key Topics Included
Appropriate Use of Technology Assets Policy	General use and ownership expectations Privacy policy reference Intellectual property, copyright infringement User fiduciary responsibilities Guest network access	BYOD Standard	Roles and responsibilities Device security and usage expectations
Appropriate Use of Technology Assets Policy		Inappropriate Use of Tech Assets Standard	Prohibited activities using VU systems, networks, email, and social media
Disaster Recovery Policy	Recovery tiers RTO, RPO, MTD Backups and recovery testing
Identity and Access Management Policy	Account lifecycle: create, review, disable, delete Authentication: passwords and MFA Access control: least privilege, RBAC
Incident Response Policy	What, when, and how to report incidents Incident response investigations and activities
Information Security Policy	Information Security Principles Governance framework Security training requirement Policy exceptions handling	Security Training Standard	Training descriptions, intended audience, and frequency Social engineering (e.g., phishing test)
Secure Configuration Management Policy	Secure baseline configurations for varying OS versions Monitoring for deviation from baselines Baseline version maintenance and change control	Encryption Standard	Algorithms/protocols for data at rest and in transit Encryption key mgmt
		Network Security Standard	Secure configuration of network devices Network segmentation and isolation Network logging Boundary protection and firewall mgmt. Public IP allocation Remote access
		Email Security Standard	Appropriate email use expectations Approved email domains and servers Mass forwarding to non-VU domains Secure configuration of email servers, including approved email protocols
Secure IT Asset Management Policy	IT asset definition Secure mgmt. roles and responsibilities Secure mgmt. lifecycle - create/acquire, maintain/operate, destroy/retire Central IT asset inventory	Secure IT Asset Management Standard	Details about an IT asset that must be in the central IT asset inventory
Secure IT Asset Management Policy		Media Sanitization Guideline	Media sanitization decision flow Sanitization method examples List of VU processes for media sanitization
Security Logging and Monitoring Policy	Security monitoring and visibility, Endpoint Detection and Response Security logging, Security Information and Event Management (SIEM)
Security Risk Management Policy	Security risk assessment triggers and criteria Security risk exposure, remediation, and escalation
Vulnerability Management Policy	Vulnerability scanning and remediation Threat intelligence gathering Penetration testing	Vulnerability Management Standard	Vulnerability mgmt. process Severity levels and remediation schedule

Not sure how to start?

Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.

Get Security Help