Search Information Security site


Information Security Risk Management (IS-RM) Program

IS-RM Assessment - General

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information and IT resources.  In accordance with the Information Security of University Technology Resources policy, all departments are required to complete an annual risk assessment to evaluate the effectiveness of IT security controls within their environments.  This assessment is intended to guide your department in conducting the required risk assessment, which includes updating the department’s mission, business continuity plan, and disaster recovery plan.

Why the move to an electronic assessment?

The benefits of having an online IS-RM assessment:

  • Logged, audit-friendly record stored in a secure environment
  • Eco-friendly and with the convenience of online access
  • Centrally managed with saved answers from previous submissions

Because the IS-RM assessments are now an annual requirement, the new electronic assessment requires less time to complete.

Can I have a copy of the questions to reference while planning out my submission?

For a PDF copy of the IS-RM Assessment, please click here.  Please note that this paper copy CANNOT be submitted as your official IS-RM Assessment.

Our unit will not complete the IS-RM Assessment by March 1st, 2018.  Do I need to file an exception request?

No.  Please do your best to complete the IS-RM Assessment before the end of March, and reach out to us to establish a completion time if this is not possible.

What software does the new IS-RM assessment use?

University Information Security (InfoSec) uses Qualtrics, a UVA-licensed survey tool.

How do I get access to the IS-RM Assessment?

If you are the primary IT contact for your unit, you will receive an email from the IS-RM team out of Qualtrics with an individualized link to take the assessment.  If you have not received such an email by the end of October, and believe you should have received one, please contact our team at

Can I delegate authority to someone else in my department to answer a specific question?

Absolutely!  Just contact and we will help arrange the access.

What is, "an exception to the University Data Protection Standards"?

An exception is a documented deviation from UVA policies, standards, or procedures.

My unit needs an exception.  What does this mean for my assessment submission?

Indicate in the IS-RM assessment that you are making a request for an exception, and we will work with you to document or remediate the exception as is needed.

IS-RM Assessment - Usability

How do I save my answers?

Because the assessment is in Qualtrics, your answers are saved as soon as you enter them, without having to advance to the next page.

How do I get access to previous submissions (years)?

Unfortunately, the paper form submissions are not available online. Please contact for a PDF copy of a previous submission.  For future submissions, the online version of the previous submission will be available by contacting

Can I save a local copy?

Unfortunately no.  Once your department head approves the assessment's submission, we will be contacting you in order to provide you a PDF copy of the completed assessment.  If you would like to receive a copy before the approval of your department head, please contact

Can I duplicate an assessment in progress?

If you would like to duplicate an assessment in progress, please contact for options. 

I have multiple departments or organizational units, can I submit one assessment to cover multiple organizational units?

Yes.  In the Organization Description block, you can specify which units you would like the assessment to apply. 

Can multiple LSP’s work on the same IS-RM assessment?

Yes, but with caveats.  We do not recommend working on the same assessment simultaneously.  If one person is working on the same assessment form, answers could get overwritten or not properly saved.

Can I be editting multiple assessments at the same time?

Yes, each will need to be in their own browser window or tab.

Can I have multiple IS-RM assessments in progress?

Yes, you can.  We suggest using bookmarks to keep track of your assessments.  Alternatively, use the Table of Contents to navigate back to the Organization Description block. 

What do I do if I submitted the IS-RM assessment too early or I have some changes to make?

The assessment has a few review pages which encourage you to go over your answers prior to submission.  If you need to change your answers, please contact us at

I am not sure if my answers are correct.  Can University Information Security (InfoSec) review my answers before I submit the assessment?

Yes; if you have any concerns, please contact  We believe this will be unnecessary, because after you submit your assessment, we will review it, and then let you know when it's acceptable for you to send it to your department head for approval.

IS-RM Assessment - Navigation

Is there a Table of Contents option for navigating my assessment?

Yes, there is.  The Table of Contents can be accessed by clicking on: .  By selecting a block from the Table of Contents, you can easily navigate to different sections of the assessment.

What is a "block"?

A block is a set of related questions.  You can view the list of blocks for the IS-RM assessment by looking at the Table of Contents.

What does a check mark next to a block mean?

A check mark next to a block means that you have completed every question that was displayed to you.

How do I know when my assessment is complete?

If every block in the Table of Contents has a check mark next to it, then you have completed every section of the assessment.


Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form