Contact Cybersecurity
The Office of Cybersecurity has developed policies and standards to set consistent expectations. Because there are many documents and a lot of information to digest, this page was developed to help simplify and summarize things for the ÌìÃÀ´«Ã½¹ÙÍø community. Below is a list of FAQs for commonly asked questions. These resources may change over time, so check back regularly.
FAQs
| Question | Answer |
|---|---|
| What does the effective date mean? | A policy that is "in effect" is one that is enforceable and compliance is expected. Reference document: All |
| Will enforcement and sanctions be imposed starting on the effective dates? | The CISO has the authority to enforce all policies and standards, but we also aim to be reasonable partners. We will be focusing on the priority requirements first. However, at any time if there is evidence of obstinance or an imminent threat to the university, the CISO reserves the authority to enforce in order to protect the institution. Reference document: All, Information Security Policy |
| Why are there different policy effective dates? | Knowing that it may be difficult to comply with some of the more technically inclined policies immediately, deferred effective dates were established to give areas time to plan and strategize implementation. The Secure IT Asset Mgmt. Policy and Standard were further deferred to accommodate a new ITSM tool. Reference document: All |
| What does "Priority Requirements" mean in the policy cheat sheet? | While there are multiple requirements in each policy and standard, users and areas should prioritize the items noted in this column. These will provide the biggest bang for the buck as far as increased security and reduced risk. They will also be Cybersecurity’s primary focus. Reference document: All |
| What should I do if I cannot adhere to a security policy or standard? | Any deviation from a security policy or standard needs an approved security exception. Requestors should submit an exception request and they will be reviewed by the Office of Cybersecurity. Note, exceptions should be a rarity and will only be considered if: Reference document: All, Information Security Policy |
| What should be included in an exception request? | The submitter should provide as much detail as possible to prevent delays from back and forth. A robust description of what they are trying to do and why they need to do it is particularly helpful. This explains the business justification and also helps puzzle out if there are available alternatives that does not go against policy. Reference document: All, Information Security Policy |
| Are there guidelines on the use of copyrighted material? | Yes. All copyrighted information retrieved from computer or network resources must be used in compliance with applicable copyright laws. Downloading or sharing of copyrighted materials such as digital images, music, movies, video games, and software, without appropriate permission, attribution, or license is considered a DMCA infringement. Engaging in such activities using Vanderbilt technology, including the ÌìÃÀ´«Ã½¹ÙÍø network, additionally violates institutional policy. Reference document: Appropriate Use Policy |
| Who approves exception requests? | Cybersecurity Risk Analysts evaluate the submitted information and perform a risk assessment. Evaluated info is then escalated to Cybersecurity leadership for review. Based on the level of risk introduced, it will be granted or denied by the CISO or an authorized delegate. Reference document: Information Security Policy |
| Can I use my personal cell phone to check and send emails? | Yes. Personal cell phones and tablets are allowed for de minimis university business such as university email and chat messaging, provided that the requirements outlined in the Device Security and Usage section of the BYOD Standard are met and sensitive data is not downloaded or stored on the phone. Such transient use is permissible and pre-approved. Reference document: BYOD Standard |
| Can I download university-licensed software on my personal device? | Software licensed to the university should not be downloaded to a personally owned device unless the license specifically permits it, such as with Microsoft Office. Reference document: BYOD Standard |
| Why can't I store sensitive data on my personal device? | Unlike university owned and managed devices, personal devices do not have the university's security controls and tools implemented by default. If the device is lost or stolen, the university may not have the ability to prevent data exfiltration, investigate the incident, or recover lost data. Additionally, many federal regulations require VU to implement prescribed security controls. Personal devices are more likely to have security controls implemented incorrectly or inconsistently putting them at larger risk for noncompliance and exploit. Reference document: BYOD Standard |
| Can I use an external email client (e.g., Thunderbird)? | Possibly. Requestors should submit an exception request. Note: Use of IMAP may be permitted if modern authentication and encryption are used, and if the user attests that they will make email available to Cybersecurity for compliance and legal needs. POP is not allowed because it is an insecure legacy protocol. Reference document: Email Security Standard |
| Can I set up automatic mass email forwarding to another mailbox? | Possibly. Automatic mass forwarding to another internal VU email address is permitted. Automatic mass forwarding to an external, non-VU mailbox requires an approved security exception. This is due to an OGC and Faculty Affairs decision to preserve email data and to be able to produce data in response to potential litigation. Reference document: Email Security Standard |
| Am I required to change my password if my account is compromised? | Yes. If the Office of Cybersecurity confirms password compromise, the account owner is required to change it immediately.   Reference document: Identity and Access Management Policy |
| What is a stale account and why does it need to be disabled/deleted? | Stale accounts are those that are no longer being actively used, for example, a departed employee. If stale accounts persist in our identity management system with continued access to VU resources, attackers can more easily leverage them without being detected and use them as a jump point for traversing the environment. Reference document: Identity and Access Management Policy |
| When is multi-factor authentication (MFA) required? | MFA should be used whenever available; however, it is required for all IT assets that house Level 3-4 data or for access to an IT asset’s management interface for performing administrative functions. Reference document: Identity and Access Management Policy |
| How do I report a security event? | The preferred method is the because it is directly routed to the Cybersecurity team and captures the necessary information. However, a report by any method is fine. The point is to report as quickly as possible, period. Reference document: Incident Response Policy |
| What should I do while I wait for Cybersecurity to respond to my report? | Stop using the device in question immediately. Do not turn off the device as this could result in the loss of valuable forensic evidence. Do not attempt to investigate or remediate the issue yourself as this could damage the crime scene. Reference document: Incident Response Policy |
| Can I get a public IP address? | Rarely. Requestors must submit an exception request and thoroughly justify why there is no other option. This is because public IP addresses are a common entry point for malicious actors. If the exception is approved, compensating controls will be required (e.g., IP must be behind the perimeter firewall). Reference document: Network Security Standard |
| Does VU have a policy on ChatGPT, OpenAI, or other generative AI? | VU HR has issued guidance on this topic: . Reference document: |
| Is ChatGPT, OpenAI, or other generative AI allowed? | Mostly. Its use should adhere to the above published guidance, specifically ensuring that its use is ethical. If sensitive data will be ingested in the tool, strongly consider using Vanderbilt's private instance of ChatGPT whereby data will stay within the university's control. Contact the VUIT Cloud Team for details. Note: uses of generative AI may be raised to the CISO and CIO. Reference document: |
| Am I required to have the secure baseline configuration on my machine? | Yes. The baseline ensures that a minimum level of security is applied, and it reduces the likelihood of exploitable misconfigurations. All Windows 10 and MacOS Ventura workstations in the administrative areas that are managed by VUIT already have the baseline. The most user-facing difference is the 15 min. screensaver timeout. Baseline deployment to the academic workstations is planned for by the NSPM-33 project and will be deployed as that project rolls out. Reference document: Secure Configuration Management Policy |
| What baselines are available? | Reference document: Secure Configuration Management Policy |
| VUIT does not manage my device; how do I apply the baseline configuration on it? | If the device is in AD, it can be applied by the system's administrator in group policy. If it is not in AD, it must be manually applied. A website is being developed that will list available baselines and instructions. We will communicate when it is available. Contact it.risk@vanderbilt.edu with questions. Reference document: Secure Configuration Management Policy |
| VUIT manages my device; can I remove my device from VUIT management? | No. VUIT ensures that devices under its management have the proper secure configuration and necessary incident detection and response tools installed (amongst other things). They do this not just at a point in time, but in an ongoing and consistent manner. Deviation from this would require an approved security exception and extremely robust justification. Reference document: Secure Configuration Management Policy |
| Is there a list of approved software? | No. Items from the VUIT Software Store are ok to install; however, there is currently no official allow-list or deny-list. Project efforts are underway to advance in that direction over time, but support capabilities, such as tools and processes, are limited. Security concerns pertaining to software installation can be routed to Cybersecurity and they will be investigated on a case-by-case basis. Reference document: Secure Configuration Management Policy |
| What IT assets need to be inventoried? | All university-owned IT assets, regardless of who manages it, must be inventoried. You can't secure what you don't know about. Reference document:Secure IT Asset Management Policy |
| How will IT assets be inventoried? | Assets managed by VUIT are already inventoried. Assets that are managed by departmental IT/local IT/etc., must be inventoried by them. Until the central IT asset inventory is ready, these inventories can be stored and maintained by whatever means makes sense, be that a tool or a spreadsheet. Once the central IT asset inventory is ready and processes developed, those inventories will need to be uploaded or integrated. Reference document: Secure IT Asset Management Policy |
| What details should be inventoried? | Relevant details can be found in the Standard, but at a minimum should include: IT Asset Type, Asset Name (hostname), OS version, and IT Asset Owner/Steward. Reference document: Secure IT Asset Management Standard |
| Do I have to have VU's security tools installed on my device? | Yes. All university-owned IT assets that are technically capable must have Cybersecurity tools installed. This is to support Cybersecurity's ability to detect and respond to security incidents in real time. The longer an intruder is in our house, the more damage they can afflict. Reference document: Security Logging and Monitoring Policy |
| What IT purchases must be submitted to VUIT/Cybersecurity for a third-party risk assessment? | All SaaS, IaaS, PaaS, regardless of cost or sensitivity of the data being shared. This is because we need to vet the vendor's security posture to ensure VU data will be protected on vendor systems. This process is typically initiated by Procurement or the purchasing area. Reference document: Security Risk Management Policy |
| What IT purchases do NOT need to be submitted to VUIT/Cybersecurity for a risk assessment? | Purchases from the Software Store, licenses for locally install software (e.g., FlowJo, R), subscriptions to access external information libraries (e.g., Getty Images, Financial Times), plug-ins. Reference document: Security Risk Management Policy |
| Who is required to take cybersecurity training? | Most staff are assigned Foundational Training with the exception of a few sub-populations (e.g., union, guest services, VTS). Some researchers are required to take Enhanced Training to comply with federal regulations (e.g., CUI). Trainees are automatically enrolled. Training issues should be routed to the (it.risk@vanderbilt.edu). Reference document: Security Training Standard |
| Why are training refreshers required annually? | Beyond it being good practice, many federal regulators and even our cybersecurity insurers require training annually at a minimum. Reference document: Security Training Standard |
| Am I required to patch my device? | Yes. All patches that address a security vulnerability must be applied. This is best accomplished by turning on automatic updates. VUIT handles this on behalf of customers for all devices under its management. Reference document: Vulnerability Management Policy and Standard |
| What's the difference between patch management and vulnerability management? | They are related, but are distinct processes with different goals. Patch management is an operational process of applying changes to software or systems. These may include security fixes, but could also include feature updates that bring new functionality. Vulnerability Management is a security measure that identifies exploitable weaknesses. While a vulnerability may be sometimes fixed by a software patch, it could also involve changing a configuration setting, turning off or uninstalling unneeded services/apps, or moving an asset's location on the network. In other words, not all patches address a security issue and not all vulnerabilities are treated with a patch. Reference document: Vulnerability Management Policy and Standard |
| When must I patch? | Once identified, security vulnerabilities must be mitigated within the timeframe defined in the Standard. Reference document: Vulnerability Management Policy and Standard |
| What if patching would severely impact the device and the service it supports? | All deviations must seek an approved security exception. And compensating controls will be necessary to protect the rest of the institution. Reference document: Vulnerability Management Policy and Standard |
Not sure how to start?
Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.