Understanding when a vendor needs to be reviewed is crucial for maintaining UVA’s data security and operational integrity. This infographic outlines the key factors to consider, such as whether the vendor processes, stores, or transmits UVA data in the cloud, the sensitivity of the data involved, and whether the service provided is mission-critical. If a cloud vendor handles Highly Sensitive Data (HSD) or provides a mission-critical service, a review is required. Be sure to gather the necessary documentation, such as a recent SOC 2 Type II Report and a completed HECVAT, and remember that reviews are required annually or when new business cases arise. For detailed standards, visit Vendor Security Review Standard.
If you have determined that you need to initiate a vendor review, follow the instructions at How to Launch a Review.
The information above is a reference from our Vendor Security Review Standard at https://security.virginia.edu/vendor-security-review-standard and University Data Protection Standards at https://security.virginia.edu/university-data-protection-standards.