Search Information Security site

 

University Data Protection Standards (UDPS 3.0)

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Using the Standards
     b) Data Sensitivity Classifications and Examples
     c) Acronyms Used
     d) Standards Grid
     e) Responsibility for Data
     f) Data in Transmission
     g) Data Storage and Destruction
     h) Shared Devices
     i) Individual-Use Electronic Devices
     j) Assessing and Managing Risk
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1.  Purpose and Background

The University of Virginia is strongly committed to maintaining the security and privacy of confidential personal information and other data it collects or stores. It expects all those who store such information to treat these data with the utmost care in order to protect the privacy and legal rights of the University community.  In order to guide University data users in achieving this objective, the University has developed these University Data Protection Standards (UDPS) to highlight the requirements for handling and protecting University data, whether the information is categorized as highly sensitive, moderately sensitive, internal use, or public.  To maximize the accessibility and usability of this document, the UDPS 3.0 is also available as a PDF.

This standard applies to all University data, and does not supplant federal and state laws and regulations, legal requirements, or contractual obligations for protecting data.  This standard applies to all users who electronically store, collect, transmit, oversee, or display University data.  As detailed in the Data Protection of University Information (IRM-003), all users must handle data in compliance with the UDPS. Moreover, following these standards is consistent with the University's standards for Highly Sensitive Data Protection Standard, Highly Sensitive Data Protection Procedures and Records Management policies.

[Table of Contents]

2.  Standards

USING THE STANDARDS

The University Data Protection Standards are divided into different functional groups. For each function, there is a defined standard based on the sensitivity of the data involved. These are intended to be baseline standards. Applying stricter controls may provide additional security. For example, an executive data steward may designate otherwise moderately sensitive data under his or her responsibility as highly sensitive for purposes of these standards.  To determine which standard applies in a given instance:

  1. Determine the sensitivity level of the data involved, whether it is highly sensitive, moderately sensitive, internal use, or public.
  2. If a system or device contains data of different sensitivity levels, the standards for the most sensitive data on the system or device must be followed for the entire system or device.
  3. For any standard labeled “recommended, but not required,” the standard should be followed unless there is a strong, documented justification for not doing so.

Data Sensitivity Classifications and Examples

The Data Protection of University Information (IRM-003) establishes four data classifications of sensitivity: highly sensitive data, moderately sensitive data, internal use data, and public data.  Listed in the table that follows are examples of data within each classification:

Highly Sensitive Data

Highly sensitive data are explicitly defined in the University’s Data Protection of University Information (IRM-003) policy.

Examples:

  • Any personal information that can lead to identity theft if exposed, e.g. Social Security numbers, passport numbers, driver’s license numbers, financial account numbers
  • Any form of personally identifying information (PII) in combination with social security number (SSN), driver’s license number, passport number and/or financial account number.  For example, computing ID and driver’s license number, or home address and SSN
  • Medical information that reveals an individual’s health condition or medical history; this includes, but is not limited to, HIPAA-protected information
  • Any store or file of passwords or user-ids and passwords on any multi-user system or computer

Moderately Sensitive Data

Moderately sensitive is the default classification for all data that is not explicitly defined as highly sensitive data, may be held from release under FOIA, or that is not intended to be made publicly available.

Examples:

Internal Use Data

Internal use data is classified as a public record available to anyone in accordance with the Virginia Freedom of Information Act (FOIA) but is not intentionally made public (see the definition of public data).  For a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act.

Examples:

  • Salary information
  • Contracts
  • Specific email correspondence not otherwise protected by a FOIA exemption

Public Data

Public data is intentionally made available to the public

Examples:

  • Data intended for a public web site
  • All information in the University’s Common Data Set
  • Data available from Financial Reports available as a subset of the President’s Reports Archive

 

 

Acronyms Used

The following acronyms are used throughout this document. Occasionally, other acronyms may appear that are hyperlinked to additional relevant information.

FERPA: Family Educational Rights and Privacy Act (protects student information)

FOIA:  Virginia Freedom of Information Act

HIPAA: Health Insurance Portability and Accountability Act (protects patient information)

Health IT: Health Information and Technology

InfoSec: University Information Security office

IT: information technology

ITS: Information Technology Services

VP: Vice President

University Data Protection Standards

The following tables are divided into six areas of data protection:

Each table must be carefully reviewed to determine all standards that apply to a particular data set and/or scenario.

Responsibility for Data

Role

Highly Sensitive Data

Moderately Sensitive Data

 Internal Use Data

Public Data

UVA Information Security Office

Approve requests from faculty and staff to store highly sensitive data on individual-use computers, mobile devices, and electronic media. 

UVA Information Security must review and approve any request to store HSD on individual-use devices or media.

No explicit requirement.

No explicit requirement.

No explicit requirement.

Evaluate requests from faculty and staff to store highly sensitive data on individual-use electronic devices and electronic media to confirm that such storage is necessary to meet essential departmental needs.

Forward confirmed requests to the appropriate VP or Dean for approval.

No explicit requirement.

No explicit requirement.

No explicit requirement.

Evaluate requests to outsource the management, storage, transmission, and/or collection of highly sensitive data.  This review and approval may involve the Health Information and Technology when appropriate.

When outsourcing, departments may use University-contracted services designated for this data classification (e.g. UVaBox).   Any other outsourcing requires review and approval by UVA Information Security, the same as is required for HSD.

Consultation with UVA Information Security recommended, but not required.

No explicit requirement.

Vice Presidents and Deans

Accountable for the security of highly sensitive data stored on shared and individual-use electronic devices, electronic media, and physical media used by their departments, faculty and staff as detailed in University Use of Highly Sensitive Data

Same as for highly sensitive data.

Accountable for the security and integrity of data stored and used by their departments, faculty, and staff.

Same as for Internal Use Data.

Approve requests from faculty and staff to store highly sensitive data on individual-use computers, mobile devices, and electronic media. 

UVA Information Security must review and approve any request to store HSD on individual-use devices or media.

No explicit requirement.

No explicit requirement.

No explicit requirement.

Approve any plans within the associated departments to outsource management of highly sensitive data, including applications and/or computing devices housing such data, to parties’ external to the University.

UVA Information Security office must review and approve any outsourcing that involves highly sensitive data.  This review and approval may involve the Information Security Office within Health Information and Technology when appropriate.

When outsourcing, departments may use University-contracted services designated for this data classification (e.g. UVaBox).   Any other outsourcing requires review and approval by UVA Information Security, the same as is required for HSD.

Consultation with UVA Information Security recommended, but not required.

No explicit requirement.

Department Managers and Chairs (e.g. direct reports to VPs and Deans; Directors)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Department Managers and Chairs (e.g. direct reports to VPs and Deans; Directors)

 

 

 

Hire highly skilled IT professionals [scroll to appropriate career path description] to administer departmental computers on which highly sensitive data are stored. Make information security a top priority for IT staff, and ensure they have sufficient time, authority, and on-going training to address information security needs.

Same as for highly sensitive data.

Highly recommended, but not required..

No explicit requirement.

Evaluate requests from faculty and staff to store highly sensitive data on individual-use electronic devices and electronic media to confirm that such storage is necessary to meet essential departmental needs.  
Evaluation must include consultation with, and approval from UVA Information Security before forwarding to the VP or Dean for approval.

Forward confirmed requests to the appropriate VP or Dean for approval.

Review and approval from UVA Information Security is recommended but not required.

No explicit requirement.

No explicit requirement.

Evaluate requests to outsource management, storage, transmission, and/or collection of University data. UVA Information Security office must review and approve any outsourcing that involves highly sensitive data.  This review and approval may involve the Information Security Office within Health Information and Technology when appropriate.

Same as for highly sensitive data.

Highly recommended, but not required.

No explicit requirement.

Maintain an updated inventory of departmental servers storing highly sensitive data (including device name and physical location) on file with UVA InfoSec, which will share the inventory with the Information Security Office within Health Information and Technology as appropriate.

Maintain an updated local inventory of all storage locations of highly sensitive data, including paper, electronic backups, and individual-use electronic devices and media. The inventory should include specific room and/or file cabinet locations and be kept in a secure, locked location. HSD on paper media must be stored securely as outlined in the Records Management Policy.

Comply with Information Security Risk Management Standard.

Same as for moderately sensitive data.

No explicit requirement.

In the event of a security incident, verify that it has been reported in accordance with the University’s Reporting an Information Security Incident standard, and provide staff and funding needed to:

  • determine risk of data exposure,
  • notify affected individuals that their personal information was exposed,
  • provide credit monitoring, and
  • operate a hot line for questions.

All incident response efforts must be conducted in consultation with UVA Information Security.

In the event of a security incident, verify that it has been reported in accordance with the University’s Reporting an Information Security Incident standard

 

Same as for moderately sensitive data.

Same as for moderately sensitive data.

Individual departments are required to follow additional external data protection standards where applicable. Although the UPDS are based on best practices, compliance with the UDPS does not necessarily substitute for compliance with legal regulations and requirements such as, but not limited to:

  • HIPAA (Health Insurance Portability and Accountability Act),
  • HITECH (Health Information Technology for Economic and Clinical Health) Act,
  • FERPA (Family Educational Rights and Privacy Act),
  • GLBA (Gramm-Leach-Bliley Act, common title of the Financial Services Modernization Act (FSMA)),
  • PCI-DSS (Payment Card Industry Data Security Standard (PCI-DSS),
  • Requirements for Classified Data, and
  • various grant requirements.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Faculty, Staff, Student Workers, Contractors, and Other Affiliates Granted Access to University Data

 

 

 

 

Obtain department chair and VP/Dean (or designee) approval to store highly sensitive data on any individual-use electronic devices and media and meet all security requirements specified in the Highly Sensitive Data Protection Standard and  and the Highly Sensitive Data Protection Procedures

Before seeking department chair and VP/Dean approvals, consultation with, and approval from UVA Information Security is required.  Email them at it-policy@virginia.edu

No explicit requirement.

No explicit requirement.

No explicit requirement.

Must ensure that University-owned workstations under their control are configured and administered in accordance with the Elevated Workstation Privileges Standard

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Must complete faculty or staff information security and privacy awareness training annually, including acceptance of the electronic access agreement. Training specifically for Medical Center employees is provided through NetLearning.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

IT Personnel (e.g. ITS technical staff, Local Support Partners [LSPs], and other staff with IT responsibilities)

 

In addition to the responsibilities required of all staff, IT personnel are also responsible for

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

 

Data in Transmission

Transmission Method

Highly Sensitive Data

Moderately Sensitive Data

Internal Use Data

Public Data

Via Email and Email Attachments

 

Not permitted, except with Health IT provisioned accounts 1) involving provider/patient communications conducted in accordance with guidelines posted on the Health System Privacy Office web site, or 2) by approved academic and administrative users in accordance with approved guidelines.

Not recommended if the personal data (not explicitly defined as highly sensitive) of multiple individuals are involved, e.g. student names and grades for a class.

 

No explicit requirement.

No explicit requirement.

Other Messaging Services (e.g. voicemail, texts, chat, Lync, Skype, FaceTime, Blackboard Collaborate)

 

Not permitted unless written approval has been granted by UVA Information Security office and relevant UVA offices, such as Health IT information security office, and the IRB-HSR.

Not recommended if the personal data (not explicitly defined as highly sensitive) of multiple individuals are involved, e.g. student names and grades for a class.

 

No explicit requirement.

No explicit requirement.

Via Fax

Not permitted unless

1) receiving fax machine is in a restricted-access location, (1b) the intended recipient is clearly indicated, and (1c) that recipient has been alerted to the pending transmission and (1d) is available to pick it up immediately and (1e) promptly communicates secure reception; or
2) utilizing an IS- or Health IT-approved secure server-based fax system.

Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, no explicit requirement.

 

No explicit requirement.

No explicit requirement.

Via Other Electronic Transmissions

(e.g. SecureFX, SecureFTP, S-HTTP, PGP. HTTPS)

 

Transmission channel must be encrypted using industry standard encryption technologies. Source and destination devices must be appropriately secured and approved for storage of HSD.

Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, encryption recommended, but not required.

Encryption recommended, but not required.

No explicit requirement.

 

Data Storage and Destruction

Storage Type

Highly Sensitive Data

Moderately Sensitive Data

Internal Use Data

Public Data

Storage in General Purpose Electronic File and Workspaces (e.g. Home Directory, UVA Collab, Sharepoint, UVaBox, OneDrive, shared server drives)

Not permitted, except on the shared drives designated for highly sensitive data that are managed by ITS or Health IT; access to such data must be restricted to only those individuals who require it in order to perform job duties and must be promptly revoked when an individual leaves the University or changes job function for which access is no longer essential.

Contact it-policy@virginia.edu for specific guidance on University electronic file and workspaces explicitly designated for storage of highly sensitive data.

Not permitted on storage external to the University (e.g. cloud vendors like DropBox, Google Drive, or third party hosts) unless properly approved and contracted as described under “Responsibility for Data.”

Not permitted unless access to data is granted to the least number of people possible and is promptly revoked when an individual leaves the University or changes job function for which access is no longer essential.

Not permitted on storage external to the University (e.g. cloud vendors like DropBox, Google Drive, or any other third party hosts) unless 1) using a University-contracted service designated for this data classification (e.g. UVaBox, OneDrive) or, 2) third party host or service has been reviewed and approved as described under “Responsibility for Data.

Not permitted on storage external to the University (e.g. cloud vendors like DropBox, Google Drive, or any other third party hosts) unless 1) using a University-contracted service designated for this data classification (e.g. UVaBox) or, 2) third party host or service has been reviewed and approved as described under “Responsibility for Data.

No explicit requirement.

Physical Media

(e.g. printed material, completed forms, microfilm)

Printing not permitted unless the printer is securely configured either 1) in a restricted-access location and someone authorized to see the information is available to pick up the printout immediately, or 2) with password-secured printout release.

Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class.

Otherwise, no explicit requirement.

 

No explicit requirements.

No explicit requirement.

Follow the University Physical Records Storage Standards for HSD.

Follow the University Physical Records Storage Standards for MSD

Follow the University Physical Records Storage Standards requirements for MSD.

 

Follow the University Physical Records Storage Standards.

 

Destruction of Electronic Data and Physical Media

 

Securely store and destroy in accordance with the University’s Electronic Data Removal Standards and Electronic Data Removal Procedures  and Records Management Policy.

Same as for highly sensitive data.

Same as for highly sensitive data.

Follow the Records Management Policy.

 

 

Shared Devices (E.G. Servers, Network Attached Storage, Disk Arrays)

Control

Highly Sensitive Data

Moderately Sensitive Data

Internal Use Data

Public Data

Basic Security Configuration

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic Security Configuration

 

Operating system must be configured according to current best information security practices. Sources for such standards include the OS vendor, the Center for Internet Security, Security of Network Devices standard and others. Variances and exceptions must be documented and approved as required by the Security of Network Devices standard

Policy-based hardening through a console-based configuration manager (e.g. Microsoft’s System Center Configuration Manager) is recommended.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Only those versions of operating systems and network-aware applications actively supported by their vendors or open source community must be used. Variances and exceptions must be documented and approved as required by theSecurity of Network Devices standard

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Operating systems and network-aware applications must be patched to the most current security level provided by their vendors. Patches should be expediently tested and, if viable, promptly applied.

Variances and exceptions must be documented and approved as required by the Security of Network Devices standard

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

All network aware applications and services not essential to the server’s purpose or administration must be deactivated.

For each server, the department must maintain a list of active applications and services, with a documented purpose for each.

Same as for highly sensitive data

Same as for highly sensitive data.

Same as for highly sensitive data.

Data files must be isolated (on separate servers) from all Internet-facing programs and services, e.g. Web and file transfer.

Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, no explicit requirement

No explicit requirement.

No explicit requirement.

Remote Desktop Protocol (RDP) must be turned off on all devices except where the department has a documented business reason for using it, and the device resides behind a hardware firewall. If using RDP from off‑grounds, it must be tunneled through a UVA-supported VPN.

Same as for highly sensitive data.

 

Same as for highly sensitive data.

Same as for highly sensitive data.

Device must be located behind a hardware firewall configured by a highly skilled IT professional [scroll to appropriate career path description] and approved by the UVA Information Security office or the Health Information and Technology office as appropriate.

Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, device must have software firewall activated.  Location behind a hardware firewall (e.g. on the More Secure Network) is recommended.

 

Device must have software firewall activated. Location behind hardware firewall (e.g. on the More Secure Network) is recommended.

 

Device must have software firewall activated. Location behind hardware firewall is recommended.

 

Server Access Permissions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Server Access Permissions

 

Granted to the fewest number of people possible. Access is promptly revoked (within one business day) when an individual leaves the University or changes job function for which access is no longer essential. Access lists must be systematically reviewed at least annually.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data

Administrator and user passwords meet or exceed recommended length and/or complexity levels.
User passwords must never be shared with anyone.
Administrator passwords must never be shared, with this one exception: passwords for administrator accounts that may need to be accessed in the absence of their normal administrator or in an emergency situation must be securely escrowed (i.e. using documented procedures for storage and retrieval, store passwords in a restricted-access location accessible by a member of the unit’s senior management).

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Except as noted below, two-factor authentication, e.g. UVA identity token and password, is required for all individuals granted access. The implementation method for two-factor authentication must meet standards approved by the UVA Information Security office.

Exception: For access to shared devices managed by Health Information and Technology office, HIPAA-compliant authentication methods established by that department must be used.

Two-factor authentication required for server administrators.

Two-factor authentication is recommended but not required for all individuals for those accessing services and data on server if the personal data (not explicitly defined as HSD) of multiple individuals are involved, e.g. student names and grades for a class.

Same as for moderately sensitive data.

Two-factor authentication required for server administrators.

Security logging is enabled and reviewed frequently to detect and/or investigate potential information security breaches. Compliance must include use of automated alert tools.

Security logging is enabled and reviewed frequently to detect and/or investigate potential information security breaches.  Recommended by not required to use automated alert tools.

Same as for moderately sensitive data.

Same as for moderately sensitive data.

All accesses to data covered by HIPAA are logged according to those regulations.

N/A

N/A

N/A

Recovery and Physical Security

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Recovery and Physical Security

 

Servers must be located in locked server racks in data centers managed by ITS or Health IT, or in a departmental machine room that is physically restricted, has a double-locked door, with card access and access logging.

Same as for highly sensitive data if the personal data of multiple individuals are involved, e.g. student names and grades for a class. Otherwise, recommended but not required that servers be located in locked server racks in ITS or Health IT data centers if space is available.

If located outside of a data center, the room must be physically restricted (locked when unattended).  Recommended, but not required to have a double-locked door, with card access and access logging.

Backup media must be locked when unattended.

The department administering the servers must provide appropriate physical security for these devices and backup media.  Consultation with UVA Information Security is recommended but not required.

 

The department administering the servers must provide appropriate physical security for these devices and backup media.

 

Regular server backups must be taken.  Frequency and duration of storage of backups will depend upon several factors, including, but not limited to, the business continuity and/or disaster recovery plan, University policy, contractual, regulatory, or other compliance requirement(s) that are associated with the data in question.

Backup files must be kept in

  • ITS-managed or Health IT-managed secure backup storage locations,
  • a vendor provided storage service that has been reviewed and approved by the University Records Management Office (URMO), or UVA Information Security as appropriate
  • a departmental room that is physically restricted, with a double-locked door, with card access and access logging.

Regular server backups must be taken.

 

Recommended but not required that backup files be kept in

If backup files are kept in a departmental room, it must be physically restricted (locked when unattended.  Recommended but not required is the room to have a double-locked door, with card access and access logging.

 

Same as for moderately sensitive data.

No explicit requirement.

Other Server Requirements

 

 

Other Server Requirements

Network registration information, such as contact information, is kept up to date.

Same as for highly sensitive data.

 

Same as for highly sensitive data.

 

Same as for highly sensitive data.

 

Security concerns related to server-hosted applications will be identified and resolved on an individual basis by the department in consultation with the UVA Information Security (InfoSec) and ITS. Health IT will be involved in the consultation if appropriate.

Same as for highly sensitive data.

 

Security concerns related to server-hosted applications will be identified and resolved on an individual basis by the department – if desired, in consultation with the UVa InfoSec, ITS, and if appropriate, Health IT.

Same as for internal use data.

Additional security safeguards may be required depending upon the specific applications and services provided by the servers.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

SCANNING

Servers, connecting devices, and web applications are periodically tested with a standard set of information security assessment tools, including

Web application vulnerability scans (e.g., WebAppScan) must be performed and remediated before any web application is released into production, when the application is modified, and at least bi-monthly thereafter.

Same as for highly sensitive data, except scanning periodicity is quarterly.

Same as for highly sensitive data, except scanning periodicity is quarterly.

Same as for highly sensitive data, except scanning periodicity is quarterly.

 

Individual-Use Electronic Devices

(E.G. Desktop Computers, Laptops, Tablets, Smart Phones, Mobile Devices)

Control

Highly Sensitive Data

Moderately Sensitive Data

Internal Use Data

Public Data

Security Configuration Requirements

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic Security Configuration

 

 

 

 

 

To store highly sensitive data on individual-use electronic devices and media, users MUST:

1. Obtain approval from:

  1. UVA Information Security office
  2. Departmental chair or designee
  3. VP or Dean (or designee) responsible for the department.

2) meet all requirements, including encryption, specified in the University’s Highly Sensitive Data Protection Standard.

Must meet requirements for securing electronic devices in accordance with the University’s Security of Network-Connected Devices Standard.

 

Same as for moderately sensitive data.

Same as for moderately sensitive data.

University-owned individual workstations must be configured and administered in accordance with the Elevated Workstation Privileges Standard

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Any individual-use device, whether individually or University-owned or managed, must be configured and administered in accordance with Security of Network-Connected Devices Standard.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

Scanning

Identity Finder (or equivalent) highly sensitive data scans must be performed and all unapproved storage remediated at least quarterly, as detailed in Highly Sensitive Data Protection Standard and the Procedures on the Use of Data Loss Prevent (DLP) Tools

Antivirus software must be installed, and configured for automatic daily definition updating, automatic protection of all incoming files, and scheduled weekly drive scans.

Networked-device vulnerability scans (e.g., Nessus) must be performed and remediated at least quarterly.

Identity Finder (or equivalent) highly sensitive data scans must be performed and remediated at least quarterly (as detailed in Highly Sensitive Data Protection Standard and the Procedures on the Use of Data Loss Prevent (DLP) Tools.

 

Antivirus scanning requirement same as for highly sensitive data.

 

Networked-device vulnerability scans (e.g., Nessus) must be performed and remediated at least twice a year.

Same as for moderately sensitive data.

 

Same as for moderately sensitive data.

Server Connections

Must connect to UVA servers only using two-factor authentication and:

  • through approved secure on-Grounds networks (More Secure Network, Secure Clinical Subnet, or jefferson wireless),
  • from home using UVA’s Joint VPN, and a home network that employs a properly configured home firewall/router, or
  • when traveling using UVA’s Joint VPN.

Must clean out browser cache daily, either by browser configuration or cleaning application.

Same as for highly sensitive data, except:

  • must use one of the  UVA supported VPNs,
  • daily cache cleaning recommended, but not required.

 

Same connection methods as for moderately sensitive data are recommended, but not required.

Same as for internal use data.

Other Individual-Use Device Requirements

 

Network registration information, such as contact information, is kept up to date.

Same as for highly sensitive data.

Same as for highly sensitive data.

Same as for highly sensitive data.

 

Assessing And Managing Risk

Area

Highly Sensitive Data

Moderately Sensitive Data

Internal Use Data

Public Data

Risk Management

Same as for highly sensitive data.The department must complete an IT security risk assessment, including updating the department’s mission continuity and disaster recovery plan, every three yearsannually  and when the computing environment changes significantly, in accordance with the University’s Information Security of University Technology Resources (IRM-004) policy.

 

Same as for highly sensitive data.Same as for moderately sensitive data.

Same as for highly sensitive data.Same as for moderately sensitive data.

Security architecture (systems, applications, authentication, etc.) discussions with ITS and the University Information Security office, including Health Information Technology if appropriate, will be held as part of the annual risk management update, or sooner if there is a significant change to the computing environment.

Security architecture discussions held as needed.

Same as for moderately sensitive data.

Same as for moderately sensitive data.

Auditing

The University’s Audit Department periodically audits the department’s computing environment.

Less frequent audits necessary.

 

Less frequent audits necessary.

 

Less frequent audits necessary.

 

3.  Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4.  Related Links

[Table of Contents]

5.  Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form