Procedures

  • Access Control Management

    Introduction Safeguard 6 - Access Control Management Procedures 6.1 - Establish an Access Granting Process Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. Virginia Tech manages access controls via its single sign-on (SSO) service and Duo 2-factor authentication. For procedures regarding integrating the SSO service, refer to the Middleware Services’ For procedures regarding setting up Duo as a user, see the Authenticating using Duo 2-Factor Authentication knowledge base article.

  • Account Management

    Introduction Safeguard 5 - Account Management Account management includes keeping track of accounts, appropriately granting permissions, and separating administrator accounts from everyday user accounts. Good account management is organized and centralized. Procedures 5.1 - Establish and Maintain an Inventory of Accounts An account inventory keeps track of all accounts, from standard users to administrators. Create a list of all accounts. Include whether or not the account is an administrator. Include the account owner’s name, username, start/stop dates, and department.

  • Application Access Controls

    Introduction The guides below cover application access controls. To see access control security standards for endpoint devices and servers, see the documentation on endpoint and server access control. At Virginia Tech, there are three requirements for all applications: Review existing application accounts and privileges at least annually. Enforce Virginia Tech Password Rules within applications. Require Duo 2-factor authentication for application users. See the Application 2-Factor Authentication documentation for more information. Procedure To change application passwords, consult the appropriate guide below.

  • Application Backups

    Introduction A good backup strategy will help you recover from a security incident quickly. Below are some backup procedures for applications that run on Linux, macOS, and Windows systems. For high risk applications, back up application data at least daily. For medium and low risk applications, back up data weekly. Encrypt backup data in transit and at rest. Exporting Database Data for Backup Certain applications require additional tools to export data in a format suitable for backing up.

  • Application Centralized Logging

    Introduction During an IT security incident, logs help determine what happened and when. Attackers often delete or modify local logs, so the IT Security Office requires remote, centralized logging for all medium and high risk applications. Procedure Meet the Standard for Information Technology Logging requirements. Forward logs to University Central or an IT Security Office authorized log server. Log servers should forward logs to the University Central log server. Resources Getting Started with Central Log Service (CLS)

  • Application Data Security Controls

    Introduction The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking, and erasure. Procedures Encryption See Server Data Security Controls for procedures regarding SQL column encryption. See Application Firewall for firewall procedures. See Endpoint Encryption for endpoint encryption procedures. FISMA Compliance FISMA (The Federal Information Security Management Act) has a set of requirements to ensure your data is secure.

  • Application Developer Training

    Introduction At Virginia Tech, all developers of medium and high risk applications are required to stay up-to-date on the latest security trends by taking a security awareness training at least once per year. Virginia Tech provides free training for such employees. Virginia Tech Security Awareness Training Virginia Tech offers online IT security awareness training that can be requested through ServiceNow or found on PageUp. These trainings are best suited for any faculty, staff, or graduate students that wish to know more about Virginia Tech’s data security policies and standards, as well as information about current security trends, common attack methods, and how to defend against those methods.

  • Application Firewall

    Introduction This guide talks about the firewall in relation to your applications. While the other firewall guides talk about how to enable and configure your firewall, this one will go through how to allow applications through and the risks involved with doing so. Risks There are two main ways to allow an app through a firewall on most operating systems. Add an app to the list of allowed apps. Open a port.

  • Application Inventory

    Introduction Keeping an accurate, up-to-date application inventory list allows you, your department, and the IT Security Office to collaborate and quickly respond to security incidents. Procedure Maintain a list of applications used by your department. The application list should at least include the following details. What is the purpose of the application? What is the risk classification of the application (low, medium, or high)? Who is responsible for maintaining the application (name, email, and phone number)?

  • Application Patching

    Introduction Patching ensures that all software is up to date and known vulnerabilities have been remediated. Fixing vulnerabilities through patches helps keep the integrity of the system and deter hackers. Patching proactively updates software to consistently run the latest approved versions of the software. Patching is the process of supplying and applying patches to software. This includes the operating systems (OS), system software, browsers, desktop, laptops, common third-party applications, and any other applications that your company or department use.

  • Application Secure Software Development

    Introduction It is the job of application developers to design secure code in their projects. However, not all web developers are taught how to accomplish this. In order to secure an application, one must run security tests to find problem areas in the application code. Tests can be run through the use of static code scanners, which automate the security testing process for the developers. Additionally, it’s good to know the best practices for secure web development.

  • Application Security Review

    Introduction Security reviews provide a thorough overview of the current state of an application, server, or endpoint device and its security. All Virginia Tech applications should properly implement data security policies and standards to ensure integrity and authenticity. Compliance with these policies and standards strengthens application security by checking for software vulnerabilities and assessing security countermeasures. Application security reviews cover a multitude of important security concepts: Machine Documentation Systems inventory list Network map Firewall Verification Vulnerability Scanning Penetration Testing Network-based Applications Network traffic analysis Determine potential attack vectors Version checking Web-based Applications Injection attack testing Data policy compliance Version checking Upon requesting a security review, the IT Security Office will reach out to schedule a time to scan the applicable devices and establish the scope of the scan.

  • Application Software Security

    Introduction Safeguard 16 - Application Software Security Procedures 16.1 - Establish and Maintain a Secure Application Development Process Application code will be designed with security in mind, reducing and preventing security vulnerabilities. See Implementing Web Development Site Security for more information. All application code is to be reviewed for security vulnerabilities before deployment, preferably using static code analysis tools. All application vulnerabilities are to be resolved before deployment. Using Static Code Analysis Tools Install a static code analysis tool of your choice.

  • Application Two Factor Authentication

    Introduction 2-factor authentication (2FA) is a common security control that adds security to user accounts by requiring a secondary device to authenticate the user’s identity. This prevents any attempts to illegitimately login as another user, even with a correct password. Virginia Tech uses Duo 2-factor authentication as a part of its Single Sign-On (SSO) service. This enables users to authenticate their login attempts by either providing a code or verifying a “push” notification via the Duo mobile app.

  • Application Vulnerability Management

    Introduction Classifying Vulnerabilities There are four main types of vulnerabilities: Network vulnerabilities: Weaknesses in hardware, software, or operational processes that allow network access to unauthorized users. Operating system vulnerabilities: Weaknesses that originate from software mistakes, AKA bugs, in an operating system (OS) that cause an unintended action to be performed on a device. Application vulnerabilities: Weaknesses that originate from software mistakes in an application that cause an unintended action to be performed.

  • Audit Log Management

    Introduction Safeguard 8 - Audit Log Management Procedures 8.1 - Establish and Maintain an Audit Log Management Process Meet the Standard for Information Technology Logging requirements. 8.2 - Collect Audit Logs Use the Central Log Service provided by Virginia Tech to collect logs 8.3 - Ensure Adequate Audit Log Storage Review the Central Log Service documentation to appropriately set settings. 8.4 - Standardize Time Synchronization Review the Central Log Service documentation to appropriately set settings.

  • Continuous Vulnerability Management

    Introduction Safeguard 7 - Continuous Vulnerability Management Procedures 7.1 - Establish and Maintain a Vulnerability Management Process Contact the IT Security Office to set up a vulnerability management process and request vulnerability scanning 7.2 - Establish and Maintain a Remediation Process If any security incidents occur, contact the IT Security Office immediately. Then, patch the system in compliance with VT’s Minimum Security Standards Guidelines. 7.3 - Perform Automated Operating System Patch Management Windows You can manually install patches by going to settings on your device and checking for new updates.

  • Data Protection

    Introduction Safeguard 3 - Data Protection Data protection is a crucial component of cybersecurity. Through data management, risk classifications and protection measures are defined to meet compliance requirements and best protect sensitive information. It’s important to be able to locate sensitive information and securely remove it once it’s no longer needed. Procedures 3.1 - Establish and Maintain a Data Management Process A data management process addresses data sensitivity, assigns roles and responsibilities regarding data processes, and defines the processes for retaining and removing data.

  • Data Recovery

    Introduction Safeguard 11 - Data Recovery Procedures 11.1 - Establish and Maintain a Data Recovery process A data recovery process should address what data needs to be backed up, where it should be backed up to, and how often it should be backed up. See the list below for choosing a backup option based on your use case. Database Management Central Log Services BitLocker Protected Devices Network Backups Application Backups Server Backups Endpoint Backups Windows or Mac Computer Backups COE Dean’s Office CALS Department Business and Management 11.

  • Email and Web Browser Protections

    Introduction Safeguard 9 - Email and Web Browser Protections Procedures 9.1 - Ensure Use of Only Fully Supported Browsers and Email Clients Supported Browsers include Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari. Supported Email Clients include Gmail and Outlook. 9.2 - Use DNS Filtering Service The IT Security Office maintains the DNS Filtering Services for Virginia Tech 9.3 - Maintain and Enforce Network Based URL Filters Contact your department’s IT office for more information.

  • Endpoint Backups

    Introduction A good backup strategy will help you recover from a security incident quickly. Below are some backup procedures for Linux, macOS, and Windows clients that you may use to securely back up Virginia Tech endpoint systems. Prerequisites In all instructions below, you must have: A computer running one of the listed operating systems. Backup device such as a local hard drive, Amazon Web Services S3 Bucket, Microsoft Azure Blob Storage, file server, SSH server, etc.

  • Endpoint Centralized Logging

    Introduction During an IT security incident, logs help determine what happened and when. Attackers often delete or modify local logs, so the IT Security Office requires remote, centralized logging for all high risk end points. Procedure Meet the Standard for Information Technology Logging requirements. Forward logs to University Central or ITSO authorized log server. Log servers should forward logs to the University Central log server. Other If you have questions that are not covered in this procedure, please contact the VT IT Security Office itso@vt.

  • Endpoint Configuration Management

    Introduction Configuration management is a process for maintaining computer systems, server and software in a certain desired state. It is a way to make sure a system performs as it is expected to as changes are made over time. It allows you to deploy apps, software updates and operating systems. Pros: Provides a high-quality software product. Provides a reliable, organized, cost effective and low risk software development application. Enhances software development life cycle process.

  • Endpoint Credentials and Access Control

    Introduction Building a Strong Password Building a strong password is one of the first and most important steps in ensuring no one but yourself and those you authorize can access your system. When creating and managing passwords, follow these rules to effectively balance convenience and security: Avoid using short, simple passwords. Instead, use: At least 3-4 words (or a minimum of 12 random characters) Capital letters Special characters (e.g. #,@!$%^&*()) Numbers Don’t reuse passwords.

  • Endpoint Data Security Controls

    Introduction The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking and erasure. Encryption See endpoint-encryption FISMA Compliance FISMA (The Federal Information Security Management Act) has a set of requirements to ensure your data is secure. The National Institute of Standards and Technology Special Publication 800-53 has a set of guidelines that ensure you are FISMA compliant.

  • Endpoint Encryption

    Introduction Types of File Encryption There are two basic types of file encryption: Password Public Key Files may be encrypted with a password. When you encrypt a file with a password, anyone who knows the password may decrypt it. When you want to share files that have been encrypted with a password, you should call the recipient and provide the password over the phone. Files may also be encrypted with public keys.

  • Endpoint Equipment Disposal

    Introduction Endpoint device hard drives should be wiped before disposal. If they are not, VT data may be exposed to whomever obtains the device. Endpoint devices typically have at least one physical hard drive and possibly more drives configured in a logical RAID array. This procedure covers how to wipe each physical hard drive. Before following this procedure, you must know how many hard drives are in the device. Procedure Make sure to copy all the files that you wish to keep from the device.

  • Endpoint Firewall

    Introduction A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet. If your computer was a castle, this is the front gate. Nothing goes in or out without being approved by the Firewall. For the end user (you) most of this is already configured for you either by your internet service provider (Cox, Xfinity/Comcast, etc) or by your organization’s system administration, but since your computer is not always connected to secure networks, almost every operating system on the market is packaged with host-based firewalls that are typically enabled by default.

  • Endpoint Inventory

    Introduction Keeping an accurate, up-to-date endpoint inventory allows you, your department, and the IT Security Office to collaborate and quickly respond to security incidents. Procedure Register endpoints with your department’s inventory system. An inventory system should include the following things: What is the purpose of the endpoint? What software is the endpoint running? Where is the endpoint located? Building Room Portal Who is responsible for maintaining the endpoint? Name Email Phone number Update the inventory system annually.

  • Endpoint Malware Protection

    Introduction Using strong malware protection is important in keeping your device secure from vulnerabilities and attacks. This document will outline ways to ensure your device has malware protection. Windows Information on how to update your Windows system can be found in the knowledge base (KB) article on Endpoint Patching. macOS Information on how to update your macOS device can be found in the KB article on Endpoint Patching. Notarization According to Apple’s support website, notarization is defined as the following.

  • Endpoint Patching

    Introduction Patching is the process of applying updates to software. These updates correct security, reliability and usability issues. Patches may be applied to the operating system (OS), system software (such as database engines), and application software such as office productivity suites and web browsers. Procedures Microsoft Windows For Windows you can manually install patches by going to settings on your device and checking for new updates. If the system already has the latest version a message will display saying your computer or device is up to date.

  • Incident Response Management

    Introduction Safeguard 17 - Incident Response Management A cyber security incident is defined by the Department of Homeland Security as: An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. Source: OMB M-17-12 Information Technology (IT) is responsible for:

  • Inventory and Control of Enterprise Assets

    Introduction Safeguard 1 - Inventory and Control of Enterprise Assets Keeping an accurate, up-to-date endpoint inventory allows you, your department and the IT Security Office to collaborate and quickly respond to security incidents. Procedures 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory Register endpoints with your department’s inventory system. An inventory system should include the following things: What is the purpose of the endpoint? What software is the endpoint running?

  • Inventory and Control of Software Assets

    Introduction Safeguard 2 - Inventory and Control of Software Assets Procedures 2.1 - Establish and Maintain a Software Inventory Maintain a list of applications used by your department. The application list should at least include the following details. What is the purpose of the application? What is the risk classification of the application (low, medium, or high)? Who is responsible for maintaining the application (name, email, and phone number)? Send the IT Security Office a list of high risk applications and their URLs (if applicable).

  • ITSO Approved Cryptographic Algorithms

    Introduction Virginia Tech departments conducting federally funded research must use NIST-approved cryptographic algorithms. However, the IT Security Office has approved other well-regarded cryptographic algorithms for other use cases. If you are not protecting data that is required to use NIST-approved algorithms, then you may also use these ITSO-approved algorithms. ITSO-Approved Cryptographic Algorithms If not conducting federally funded research and do not wish to use NIST-approved cryptographic algorithms, use one of the following ITSO-approved cryptographic algorithms:

  • Linux Systems Hardening

    While many Linux hardening measures are straight-forward (strong passwords that meet VT requirements, regular patching, host-based firewalls, etc.) some are not so obvious and may differ per Linux distribution or kernel. Here are some resources for hardening Linux systems that we find useful in the ITSO: > Centos - https://wiki.centos.org/HowTos/OS_Protection > Ubuntu - https://help.ubuntu.com/community/Security > Debian - https://www.debian.org/doc/manuals/securing-debian-manual CIS-CAT runs on Linux systems as well and can be used to further harden Linux systems.

  • Malware Defenses

    Introduction Malware is any type of software designed to interfere with a device’s normal functioning. It could be a virus, worm, spyware, ransomware, adware, and more. A malware infection can present itself in a number of ways: slowing down the infected device, adding unwanted software to the system, or sending phishing messages to contacts. Defending against malware is crucial to maintaining networks and endpoints and keeping personal information safe. Fortunately, anti-malware software is easy to maintain and highly effective, when configured appropriately.

  • Network Infrastructure Management

    Introduction Safeguard 12 - Network Infrastructure Management Procedures 12.1 - Ensure Network Infrastructure is Up-to-date This step is under construction. 12.2 - Establish and Maintain a Secure Network Architecture This step is under construction. 12.3 - Securely Manage Network Infrastructure This step is under construction. 12.4 - Establish and Maintain Architecture Diagrams This step is under construction. 12.5 - Centralize Network Authentication, Authorization and Auditing (AAA) This step is under construction.

  • Network Monitoring and Defense

    Introduction Safeguard 13 - Network Monitoring and Defense Procedures 13.1 - Centralize Security Event Alerting This step is under construction. 13.2 - Deploy a Host-Based Intrusion Detection Solution This step is under construction. 13.3 - Deploy a Network Intrusion Detection Solution This step is under construction. 13.4 - Perform Traffic Filtering Between Network Segments This step is under construction. 13.5 - Manage Access Control for Remote Assets This step is under construction.

  • Penetration Testing

    Introduction Safeguard 18 - Penetration Testing Penetration tests (pentests) use vulnerability scans but also go a step further by attempting exploitation of systems and devices to confirm the existence of vulnerabilities. This method of testing provides much more information by simulating what an actual attack would find. Procedures 18.1 - Establish and Maintain a Penetration Testing Program The VT IT Security Office (ITSO) offers custom penetration testing for departments via 4Help.

  • Secure Configuration of Enterprise Assets and Software

    Introduction Safeguard 4 - Secure Configuration of Enterprise Assets and Software Procedures 4.1 - Establish and Maintain a Secure Configuration Process This step is under construction. 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure This step is under construction. 4.3 - Configure Automatic Session Locking on Enterprise Assets Windows Computer Navigate to Settings > Accounts > Sign-in Options Make sure Require Sign-in is set to a time under 15 minutes macOS Computer Navigate to Menu > System Preferences > Security and Privacy Click Unlock to set preferences Make sure the require password after _____ checkbox is checked and the time is under 15 minutes Click the lock to save your preferences Linux Computer Debian Follow Gnome Screen Lock Procedure

  • Security Awareness and Skills Training

    Introduction Safeguard 14 - Security Awareness and Skills Training In a report by the IBM Cyber Security Intelligence Index, human error was reported to be a major contributor in 95% of successful cybersecurity attacks. Computer systems are as vulnerable as the people that use them. There are even types of attacks that rely on people’s trust called social engineering attacks. Phishing, for example, is when people are tricked into giving away sensitive information or installing malware because of a misleading message or website.

  • Server Backups

    Introduction A good backup strategy will help you recover from a security incident quickly. Below are some backup procedures for Linux and Windows servers that you may use to securely backup Virginia Tech server systems. Prerequisites In all instructions below, you must have: A computer running one of the listed operating systems. Backup device, such as local hard drive, AWS S3 Bucket, Microsoft Azure Blob Storage, file server, SSH server, etc.

  • Server Centralized Logging

    Introduction During an IT security incident, logs help determine what happened and when. Attackers often delete or modify local logs, so the IT Security Office requires remote, centralized logging for all medium and high risk servers. Procedure Meet the Standard for Information Technology Logging requirements. Forward logs to University Central or an IT Security Office authorized log server. Log servers should forward logs to the University Central log server. Other If you have questions that are not covered in this procedure, please contact the Virginia Tech IT Security Office at itso@vt.

  • Server Credentials and Access Control

    Introduction Servers can be targets for hackers thereforew it is important to have a strong protection against these threats. Common strategies for combating malicious threats include creating strong passwords and enabling 2-factor authentication for account access. Best Practices Unique Passwords for Each Account For each account you control, it is recommended to make your password unique to that account. If you have trouble keeping track of your passwords, try using a password manager like LastPass.

  • Server Data Security Controls

    Introduction The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking and erasure. Procedures Microsoft SQL Column Encryption It is important to encrypt data on a server at the database level, these instructions will allow you to encrypt columns of data on a Microsoft SQL database. The following information is provided by the Microsoft Documentation Website.

  • Server Equipment Disposal

    Introduction Server hard drives should be wiped before disposal. If they are not, Virginia Tech data may be exposed to whomever obtains the server. Servers will have at least one physical hard drive and possibly more drives configured in a logical RAID array. This procedure covers how to wipe each physical hard drive. Before following this procedure, you must know how many hard drives are in the server. Procedure Make sure to copy all the files that you wish to keep from the server.

  • Server Firewall

    Introduction A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. At its most basic, a firewall is essentially the barrier that sits between the host and the network. Procedures Windows Server Windows Server Firewall can be accessed via the Windows Defender Firewall with Advanced Security application. To access this, follow these instructions Open the search menu from the Windows start menu.

  • Server Intrusion Detection

    Introduction Virginia Tech’s IT Security Office runs a network intrusion detection system 24/7 that can help protect your computer. However it is important to run intrusion detection systems locally to provide an extra layer of defense. The Virginia Tech minimum security standards requires that some form of a security monitoring tool must be used. The following are options that may be used: Wazuh Security Monitoring Wazuh security monitoring is a service that provides security for server machines.

  • Server Inventory

    Introduction Keeping an accurate, up-to-date server inventory allows you, your department, and the IT Security Office to collaborate and quickly respond to security incidents. Procedure Register servers with your department’s inventory system. An inventory system should include at least these things: What is the purpose of the server? What software is the server running? Where is the server located? On-premise Cloud Who is responsible for maintaining the server? Name Email Phone number Send the IT Security Office a list of high risk servers.

  • Server Malware Protection

    Introduction Having strong malware protection on your server is an important part of not only keeping the server safe, but also the other computers that may be using that server. The Virginia Tech minimum security standards requires that some form of a security monitoring tool must be used. The following are options that may be used. Wazuh Security Monitoring Wazuh is a service that provides security monitoring for server machines. The platform features Endpoint Security, Threat Intelligence, Security Operations, and Cloud Security.

  • Server Patching

    Introduction A server is a computer application or device that provides services to other computers. It is important to patch servers as quickly as possible. You should apply critical and high severity security patches within seven days of their release and all other security patches within 90 days. Key factors for server patching are downtime, duration, and frequency. Instructions Windows Server For stand-alone servers, use Windows Update to automatically download and install patches.

  • Server Physical Protection

    Introduction Server physical security should be achieved through a multilayered approach, targeting safety, security, and maintenance. To have a physically secure server, one must consider the potential physical threats to a server: Intruders Vandalism Server access Accidents Fire Spills Falling Data theft Data tampering Server Hosting at Virginia Tech Most servers at Virginia Tech are hosted in the Andrews Information System Building (AISB) and managed by Business Application and Integration Services (BAIS).

  • Server Security Review

    Introduction Security reviews provide a thorough overview of the current state of an application, server, or endpoint device and its security. All Virginia Tech servers should properly implement data security policies and standards to ensure integrity and authenticity. Compliance with these policies and standards strengthens server security by assessing control access, checking for software vulnerabilities, and assessing security countermeasures. Server security reviews cover a multitude of important security concepts:

  • Server sysadmin Training

    Introduction Virginia Tech requires system administrators (sysadmins) to attend a security training course once per year to ensure they have a basic understanding of best practices for security at Virginia Tech. If you are interested in more training resources Virginia Tech offers, visit security.vt.edu. Virginia Tech also offers a wide range of training options on the PageUp Learning Management System. Virginia Tech Security Awareness Training The Virginia Tech offers online IT security awareness training that can be requested through 4Help or found on PageUp.

  • Server Two Factor Authentication

    Introduction 2-factor authentication is a common security control that adds security to user accounts by requiring a secondary device to authenticate the user’s identity. This prevents any attempts to illegitimately login as another user, even with a correct password. Virginia Tech uses Duo 2-factor authentication as a part of its Single Sign-On service. This enables users to authenticate their login attempts by either providing a code or verifying a “push” notification via the Duo mobile app.

  • Server Vulnerability Management

    Introduction Classifying Vulnerabilities There are four main types of vulnerabilities: Network vulnerabilities: Weaknesses in hardware, software, or operational processes that allow network access to unauthorized users. Operating system vulnerabilities: Weaknesses that originate from software mistakes (i.e. bugs) in an operating system that cause an unintended action to be performed on a device. Application vulnerabilities: Weaknesses that originate from software mistakes in an application that cause an unintended action to be performed.

  • Service Provider Management

    Introduction Safeguard 15 - Service Provider Management Procedures 15.1 - Establish and Maintain an Inventory of Service Providers This step is under construction. 15.2 - Establish and Maintain a Service Provider Management Policy This step is under construction. 15.3 - Classify Service Providers This step is under construction. 15.4 - Ensure Service Provider Contracts Include Security Requirements This step is under construction. Other If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.