Search Information Security site


Information Security Risk Management (IS-RM) Program

IS-RM Survey - General

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information assets.  In accordance with the University’s Information Security Risk Management Program (IS-RM) Policy, all departments are required to complete an annual risk assessment to evaluate the effectiveness of IT security controls within their environments.  This survey is intended to guide your department in conducting the required risk assessment, which includes updating the department’s mission, business continuity plan, and disaster recovery plan.

Why the move to an electronic survey?

The benefits of having an online IS-RM survey:

  • Logged, audit-friendly record stored in a secure environment
  • Eco-friendly and totally online
  • Centrally managed with saved answers from previous submissions

Because the IS-RM surveys are now an annual requirement, the new electronic survey requires less time to complete.

What software does the new IS-RM survey use?

University Information Security (UIS) uses Qualtrics, a UVA-licensed survey tool.

How do I get access to the IS-RM Survey?

If you are the IT Contact for your unit, you will receive an email from the IS-RM team out of Qualtrics with an individualized link to take the survey.  If you have not received such an email by the end of October, and believe you should have received one, please contact our team at

Can I delegate authority to someone else in my department to answer a specific question?

Absolutely!  Just contact and we will help arrange the access.

What is, "an exception to the University Data Protection Standard"?

An exception is a documented deviation from UVA policies, standards, or procedures.

My unit needs an exception.  What does this mean for my survey submission?

Indicate in the IS-RM survey that you are making a request for an exception, and we will work with you to document or remediate the exception as is needed.

IS-RM Survey - Usability

How do I save my answers?

Because the survey is in Qualtrics, your answers are saved as soon as you enter them, without having to advance to the next page.

How do I get access to previous submissions (years)?

Unfortunately, the paper form submissions are not available online. Please contact for a PDF copy of a previous submission.  For future submissions, the online version of the previous submission will be available by contacting

Can I save a local copy?

No.  Once your department head approves the survey submission, we will be contacting you in order to provide you a PDF copy of the completed survey.  If you would like to receive a copy before the approval of your department head, please contact

Can I duplicate a survey in progress?

If you would like to duplicate a survey in progress, please contact for options. 

I have multiple departments or organizational units, can I submit one survey to cover multiple organizational units?

Yes.  In the Organization Description block, you can specify which units you would like the survey to apply. 

Can multiple LSP’s work on the same IS-RM survey?

Yes, but with caveats.  We do not recommend working on the same survey simultaneously.  If one person is working on the same survey form, answers could get overwritten or not properly saved.

Can I be editting multiple surveys at the same time?

Yes, each will need to be in their own browser window or tab.

Can I have multiple IS-RM surveys in progress?

Yes, you can.  We suggest using bookmarks to keep track of your surveys.  Alternatively, use the Table of Contents to navigate back to the Organization Description block. 

What do I do if I submitted the IS-RM survey too early or I have some changes to make?

The survey has a few review pages which encourage you to go over your answers prior to submission.  If you need to change your answers, please contact us at

I am not sure if my answers are correct.  Can University Information Security (UIS) review my answers before I submit the survey?

Yes; if you have any concerns, please contact  We believe this will be unnecessary, because after you submit your survey, we will review it prior to sending it to the department head for approval.

IS-RM Survey - Navigation

Is there a Table of Contents option for navigating my survey?

Yes, there is.  The Table of Contents can be accessed by clicking on: .  By selecting a block from the Table of Contents, you can easily navigate to different sections of the survey.

What is a "block"?

A block is a set of related questions.  You can view the list of blocks for the IS-RM survey by looking at the Table of Contents.

What does a check mark next to a block mean?

A check mark next to a block means that you have completed every question that was displayed to you.

How do I know when my survey is complete?

If every block in the Table of Contents has a check mark next to it, then you have completed every section of the survey.



Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form