Requesting an IT Compliance Review
Initiating an Information Security Compliance review is now really easy! Just follow the steps below.
1. Visit the UVA OneTrust Self Service portal
2. Type in your UVA email address and click “Next” to login through Netbadge
3. Click on the grid icon at the top left of your screen
4. Select "Self-Service Portal"
5. Select the tile that best meets your needs. We currently offer the following:
- Consultant Questionnaire
- This review is to be used for vendors or consultants which will have access to UVA data but the data will not leave UVA space. This review may be done in conjunction with a Vendor Risk Assessment. The vendor may receive UVA sponsored accounts to complete their work.
- Integration Request
- This review is for both O365 integrations and non-O365 integrations.
- IRB-SBS Data Security Review
- This request is to review a Data Security Plan for an SBS. Please have a copy of your iProtocol to upload.
- Static IP on the AON
- This request is to explain the need for a Static IP on the AON.
- Please be prepared to provide information about compensating controls.
- Vendor Security Compliance Review
- Formerly the "Third Party Cloud Vendor Risk Assessment" request
- This request is currently intended for cloud vendor risk assessments.
6. Complete the form and be sure to hit Submit. (If you are unable to submit, check all required fields are completed.)
NOTE: When completing some fields, such as a vendor name or the vendor contact email, you may need to click "Add Option" beneath the text field after you finish typing.
Frequently Asked Questions
- Under what conditions is a review required for a vendor?
All third-party vendors with access to UVA data should be reviewed; this includes both cloud vendors and consultants. However, according to the University Data Protection Standards 3.0, only vendors handling sensitive, highly sensitive, or mission critical data must be reviewed by UVA IT Compliance before the product or service is purchased and/or used.
- What happens after I submit the vendor onboarding form?
An email will automatically be sent to the vendor contact email you provided. Be sure to notify your contact with the vendor that they will be receiving an email from OneTrust prior to submitting the form. This helps to keep the review on track.
- My contact cannot find the email. Can you resend it?
Certainly! Email [email protected] and we can resend the email.
- How long does the review process take?
This is largely dependent on the vendor. The IT Compliance team typically sends information requests back to the vendor within five business days of receiving the initial submission. In general, vendors with more mature Information Security practices tend to go through the review process more quickly than vendors without established Information Security practices.
- Will I get an email once the review is complete?
Yes, although the next steps for your review will be dependent on the data and context. If the vendor you submitted is processing Highly Sensitive Data or has been designate as mission critical, then a sign off process may be necessary after the review (see the Vendor Security Review standard). Otherwise, if no further steps are required, you will receive an email indicating the outcome of the review.
- How can I see my in progress or completed Self-Service Portal submissions?
When you login to OneTrust, you should see any in progress or completed Self-Service Portal submissions at the bottom half of your screen (below the tiles available for launch).
- How should I give my vendor a heads up about the review?
Feel free to send them the template below. Just replace "[Vendor]" with the name of your vendor and send it off to your point of contact:
"I have been notified by our Information Security team a review of your service and environment is required by UVA policy. Our Information Security team has a process for conducting these reviews which allows for an easier and more secure means for transmitting documentation.
Requests for [Vendor]’s review will be sent from “UVA IT Compliance <[email protected]>” with the words “Assessment Assigned” in the subject line. The email will include information and instructions for completing the review.
Please let me know if you are not the appropriate person to receive this request. Otherwise, thank you for your assistance in helping us to comply with the University’s Vendor Security Review Standard."