1. Virginia Tech Minimum Security Standards (MSS)

Virginia Tech’s Minimum Security Standards (MSS) establish baseline security controls for all university-owned systems and data. These standards ensure:

  • Protection of the confidentiality, integrity, and availability of university data.
  • Compliance with federal and state regulations, including FERPA  and PCI DSS.
  • Reduction of risks across endpoint devices, cloud storage, and research infrastructure.
View the Full Minimum Security Standards

2. CIS IG2 Standards for the College of Engineering

The College of Engineering aligns its IT security strategy with Implementation Group 2 (IG2) of the Center for Internet Security (CIS) Controls. These controls are appropriate for organizations handling sensitive data and research environments.

We implement the following core IG2 controls:

  • Inventory and control of hardware & software assets.
  • Secure configuration of enterprise assets and software.
  • Continuous vulnerability management.
  • Data protection and encryption policies.
  • Role-based security awareness training.
About the CIS Controls
Virginia Tech Cybersecurity Resources

3. Acceptable Use Policy (AUP)

All Virginia Tech users must adhere to the Acceptable Use Standard, which governs the responsible use of university IT resources.

Key Expectations:

  • Systems must be used only for university business, instruction, research, and public service.
  • Misuse of resources (e.g., hacking, unauthorized access, or personal gain) is prohibited.
  • Users must report any actual or suspected security incidents immediately.
Read the Full Acceptable Use Standard

4. FERPA & Data Protection Guidelines

The Family Educational Rights and Privacy Act (FERPA) mandates protections for student education records.

Virginia Tech’s guidelines require:

  • Encryption of student records both in transit and at rest.
  • Secure cloud storage via VT-provided platforms (e.g., OneDrive, etc.).
  • Prohibition on unencrypted file sharing via email.
FERPA at Virginia Tech - Registrar's Office
Data Protection Standards

5. Phishing & Scam Prevention

Phishing is one of the most common cyber threats targeting VT users.

Red flags to watch for:

  • Urgent or threatening tone (“Your account is suspended”).
  • Sender address doesn’t match VT email domains.
  • Requests for sensitive info like passwords or bank details.
  • Unusual links or attachments.
Report Phishing or Security Incidents

6. Endpoint Security & Device Protection

To comply with VT policy and COE IT strategy, endpoint devices (work and personal) must follow these standards:

  • Install university-approved antivirus software.
  • Apply regular security patches and system updates.
  • Enable multi-factor authentication (MFA) for all accounts.
  • Store data in VT-approved cloud services (e.g., OneDrive).
  • Use a VPN when accessing university services from public or home networks.
MFA Information

7. Secure Data Sharing Guidelines

When sharing data within research groups or with students:

  • Use approved cloud tools like Google Drive, OneDrive, or VT SecureShare.
  • Encrypt files prior to transmission.
  • Never email sensitive data without encryption.
  • Use permissions-based access with audit logs enabled.
  • Share only what is necessary ("least privilege" principle).

8. Business Continuity & Remote Work Security

For remote faculty, staff, and researchers:

  • Use Virginia Tech VPN when accessing internal systems.
  • Secure home Wi-Fi with WPA2/WPA3 encryption and strong passwords.
  • Avoid storing student or sensitive data locally.
  • Use encrypted Remote Desktop or remote-access tools.
  • Follow FERPA, data protection, and AUP policies at all times.