The capacity for data users to enter, modify, delete, view, copy, or download data.
An individual at the University who is authorized to grant a request to access Electronically Stored Information (ESI). This may include an individual who has been designated, either permanently or temporarily, by another individual to serve in the role of authorizing official on their behalf. The authorizing official (a.k.a approver) typically would be from within the same department, business unit, or reporting area, and must be at least two levels above the affected individual(s) on an organizational chart (except where the affected individual is the president or vice-president). The authorizing official is a person in a higher-level position of authority who is able to determine appropriateness and reasonableness after reviewing the applicable policies and standards related to the request. For most situations, the authorizing official will be either the department chairs or heads or their assigned designee, or the President or delegated representative, such as the Vice-Presidents and Deans or their assigned designee, depending on the affected user and requested access.
Standard security controls that must be in place on all University-owned computing devices to ensure they are in compliance with University Policies. These include, but are not limited to, anti-virus software, password protection, and regular software updates.
A bridge letter is a letter from a vendor that attests to the continued validity and accuracy of the provided external assessment (no significant changes in their environment or threat landscape) between the report end date and the current date. UVA requires that a bridge letter may span no more than six months from the report end data and the date of UVA's request for an external assessment report.
Data whose sensitivity level falls within a hierarchical schema established by the federal government according to the degree to which unauthorized disclosure would damage national security. Access to classified data typically requires a formal security clearance level relative to the sensitivity of the classified data for which the access is requested. Ranging from most sensitive to least, those levels include Top Secret, Secret, Confidential, and Public Trust. The misuse of classified data may incur criminal penalties and significant reputational damage.
Additional protective controls, beyond baseline security measures, put in place on a workstation to offset a specific increase in data security risk.
An individual who is an employee of a firm that has a formal contractual relationship with the University and has been assigned to work at the University for the duration of the contract.
Data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act but is also not intentionally made public (see the definition of public data). Examples include salary information, employee name and title, meeting minutes, specific e-mail messages (for a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act).
For purposes of this policy, this term includes any item, component, material, software, source code, object code, or other commodity specifically identified on the Commerce Control List [Part 774 of the Export Administration Regulations (EAR)] or U.S. Munitions List [Part 121 of the International Traffic in Arms Regulations (ITAR)]. This term also includes information to the extent required in the applicable regulation.
Text, numbers, graphics, images, sound, or video and in any format, electronic or paper. The University regards data maintained in support of a functional unit's operation as University data if they meet at least one of the following criteria: If
- at least two administrative operations of the University use the data and consider the data essential;
- integration of related information requires the data;
- the University needs to verify the quality of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
- a broad cross section of University employees refers to or maintains the data; or
- the University needs the data to plan.
Some examples of such University-owned data include student course grades, patient records, employee salary information, research, vendor payments, and the University's annual Common Data Set.
University and Medical Center officials who have responsibility for confirming that requests for access correctly map to what the data users need in the way of access to the specific components of a given application required to perform job duties, and for which they have appropriate training. (The Data Access Approver will be either the Data Steward, the Deputy Data Steward, or the Executive Data Steward.)
The person designated by the VP or Dean to provide oversight of data security for the organization. If no individual is designated, the person responsible for providing oversight of IT for the organization will fulfill this role.
University and Medical Center officials who have responsibility for determining the purpose and function of data within their assigned data domains. They (1) work to protect the accuracy, integrity, and (as appropriate) confidentiality of data; (2) have final sign-off authority for users seeking to access, retrieve, manipulate, or view data for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for decisions; and (3) work to make certain users have an understanding of the data to which they have access.
Individuals who acknowledge acceptance of their responsibilities, as described in this policy, and its associated standards and procedures, to protect and appropriately use data to which they are given access; and meet all prerequisite requirements, e.g., attend training before being granted access.
Individuals who authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them.
The entire collection of data for which a University employee assigned the role and responsibilities of an Executive Data Steward, Data Steward, or Deputy Data Steward is responsible. The data domain also includes rules and processes related to the data.
Includes telephone communications, so-called "phone mail," or voicemail, e-mail, computer files, text files, and any data traversing the University network or stored on University equipment.
Electronic equipment, whether owned by the University or an individual, that has a processor, storage device, or persistent memory, including, but not limited to: desktop computers, laptops, tablets, cameras, audio recorders, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e. “Internet of Things”), supervisory control and data acquisition (SCADA) and industrial control systems, etc
All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
Electronically Stored Information (ESI) is information created, manipulated, stored, or accessed in digital or electronic form.
A level of permission that allows the user to install software and change configuration settings on a workstation (also known as administrator or admin privileges)
As used in this policy, includes all faculty (teaching, research, administrative and professional), professional research staff, university and classified staff employed by the University in any capacity, whether full-time or part-time, and all those employees in a wage or temporary status.
An individual who is an employee (2), contractor employee, medical center employee, and/or foundation employee, as well anyone else to whom University IT resources have been extended. These include, but are not limited to, recently terminated employees whose access to University IT resources have not yet been terminated, deleted, or transferred, and individuals whose University IT resources continue between periods of employment. This also includes student workers, volunteers, and other individuals who may be using state-owned or University IT resources and carrying out University work.
System settings or software installed on a workstation in addition to baseline security measures to provide compensating controls in one or more of the following three modes to offset the risk assumed by granting increased privileges:
- Monitoring Mode: Logs user activity such as installing software
- Practical Security Settings: Requires user to verify software installs before proceeding. This activity must be logged in a location the user would not be able to alter
- Highest Practical Security Settings: Requires that any installed software be added to a “whitelist” of allowed software by an Workstation Manager before allowing it to be installed
Senior University and Medical Center officials who have planning and policy-level responsibilities for a large subset of the institution’s data resources. They: (1) oversee the implementation of this policy for their data domains; (2) determine the appropriate classification of institutional data (highly sensitive, moderately sensitive, controlled data, and not sensitive) in consultation with executive management and appropriate others; and (3) appoint Data Stewards for their data domains.
An export is any shipment or transmission of controlled technology out of the U.S. The term "deemed export" is commonly used to refer to the release of controlled information (as specified in the regulations) to a foreign national in the U.S. Under the regulations, such a transfer is deemed to be an export to the individual’s home country.
An individual who is an employee of one of the officially recognized University-related foundations.
Gift card scams are usually phishing emails that appear to come from someone you know, often somebody you think is important, such as supervisor or senior colleague or a family member with an emergency - asking if you can do them a favor or give "urgent help". It often starts with an email that says, "Available?". The email typically asks you to only use email to respond because the sender is occupied (in a meeting) and currently unable to take calls. The scammer replies to the your response, asking you to purchase gift cards, scratch off the back to reveal the gift card codes, and send pictures of the cards to them via reply email. The person promise to pay you back as soon as they are back in the office! Don't fall for it. Those numbers on the back of a gift card let the scammer immediately get the money you loaded onto the card by purchasing it. And once they’ve done that, the scammers and your money are gone, usually without a trace.
Data that require restrictions on access under certain laws such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification , or that may be protected from release in accordance with applicable law or regulation.
Highly Sensitive data (HSD) currently includes personal information that can lead to identity theft. HSD is also any health information that reveals an individual’s health condition and/or medical history.
Specific examples include, but are not limited to:
Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
Personal information that, if exposed, can lead to identity theft. "Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:
Social security number;
Driver’s license number or state identification card number issued in lieu of a driver’s license number;
Passport number; or
Financial account number, or credit card or debit card number, including any cardholder data in any form on a payment card.
Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number and/or financial account number. For example, computing ID and driver’s license number, or home address and SSN. Note that credit card numbers can never be stored either alone or in combination with any other identifiers.
Health information that, if exposed, can reveal an individual’s health condition and/or history of health services use. “Health information,” also known as “protected health information (PHI),” includes health records combined in any way with one or more of the data elements about the individual known as Health Insurance Portability and Accountability Act (HIPAA) regulated identifiers (see Medical Record Review ).
Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones, and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.
All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and any externally attached storage devices (e.g., thumb drives).
Any event that, regardless of accidental or malicious cause, results in:
- disclosure of University data to someone unauthorized to access it,
- unauthorized alteration of University data,
- loss of data which the University is legally or contractually bound to protect or which support critical University functions,
- disrupted information technology service,
- a violation of the University’s information security policies.
Examples of such incidents include, but are not limited to:
- Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect, e.g., social security numbers, credit card numbers, Protected Health Information (PHI), research data, etc.
- Loss or theft of electronic devices, electronic media, or paper records that contain University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
- Defacement of a University website.
- Unauthorized use of a computing account.
- Use of information technology resources for unethical or unlawful purposes (incidents involving employees and pornography should be reported directly to University Human Resources).
- Contact from the FBI, Secret Service, Department of Homeland Security or other law enforcement organizations regarding a University electronic device that may have been used to commit a crime.
All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data including, but not limited to:
- Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
- Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
- Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
- Software including, but not limited to: applications, databases, content management systems, web services, and print services;
- Electronic data in transmission and at rest;
- Network and communications access and associated privileges; and
- Account access and associated privileges to any other IT resource.
Gathering information and initial fact-finding to determine whether an allegation or apparent instance of research misconduct warrants an investigation.
Data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act (FOIA) but is also not intentionally made public (see the definition of public data). Examples may include salary information, contracts, and specific email correspondence not otherwise protected by a FOIA exemption. For a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act.
The formal examination and evaluation of all relevant facts to determine if misconduct has occurred, and, if so, to determine the responsible person and the seriousness of the misconduct.
Individuals employed by the University of Virginia Medical Center in any capacity.
A University mission critical system is any factor (e.g., component, equipment, personnel, process, procedure, software, server) that is essential to a business operation or a unit. When a mission critical system fails or is interrupted, business operations are significantly impacted. It is indispensable to continuing operations.
All users except for those whose sole affiliation with the University is student or applicant.
Refers to information that is linked to a person’s identity, such as Social Security Number (SSN), driver’s license number, financial information, and/or protected health information (PHI).
Data intentionally made public and are therefore classified as not sensitive. Any data that are published and broadly available are, of course, included in this classification. University policy holds that the volume of data classified as not sensitive should be as large as possible because widespread availability of such information will enable others to make creative contributions in pursuit of the University's mission.
IT resources that are available to broad groups of users within the University community. They include, but are not limited to: public-access computer facilities, shared multi-user computing systems, and the network services that Information Technology Services (ITS) and all other University schools and departments manage. The word “public,” in this context, describes a resource that is available broadly to members of the University community. It does not imply that these resources are available to persons from outside the University community.
Any writing or recording — regardless of whether it is a paper record, an electronic file, an audio or video recording or any other format — that is prepared or owned by, or in the possession of a public body or its officers, employees, or agents in the transaction of public business. Commonwealth of Virginia Code § 2.2-3701. All public records are presumed to be open and may be withheld only if a statutory exemption applies.
Ransomware is a form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Access to the user's computers files are blocked, often by encrypting them. Most ransomware attacks are the result of clicking on an infected email attachment or visiting hacked or malicious websites.
Any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.
Any data, document, computer file, computer diskette, or any other written or non-written account or object that reasonably may be expected to provide evidence or information regarding the proposed, conducted, or reported research that constitutes the subject of an allegation of research misconduct. A research record includes, but is not limited to, grant or contract applications, whether funded or unfunded; grant or contract progress and other reports; laboratory notebooks; notes; correspondence; videos; photographs; X-ray film; slides; biological materials; computer files and printouts; manuscripts and publications; equipment use logs; laboratory procurement records; animal facility records; human and animal subject protocols; consent forms; medical charts; and patient research files. A research record is one type of University record.
The process to identify, control and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.
Data, records, and files that:
- may be withheld from release under the Virginia Freedom of Information Act (FOIA),
- are not public records,
- do not enable identity theft,
- are not protected health information (PHI).
Examples include information concerning the prevention of or response to cyber-attacks, or information that describes a security system used to control access to or use of an automated data processing or telecommunications system, or research records that do not contain Highly Sensitive Data, University ID numbers, i.e., those printed on University ID cards, and/or Family Educational Rights and Privacy Act-protected data not covered under the definition of “Highly Sensitive” data. This category of data also includes any data or record covered by the exemptions listed in the Commonwealth of Virginia Freedom of Information Act).
The Service Organization Control 2 (SOC 2) was developed by the American Institute of Certified Public Accountants (AICPA) to report on controls at a service organization relevant to security, svailability, processing Integrity, and confidentiality or privacy. The SOC 2 report provides detailed information and assurance about the controls at a service organization (e.g., cloud vendor) relevant to the security, availability, processing, integrity, and confidentiality (privacy) of customer data.
The Service Organization Control 2 (SOC 2) Type II report is an attestation of controls at a service organization over a minimum six-month period, where as a SOC 2 Type I report is an attestation of controls at a service organization at a specific point in time. The SOC 2 Type II reports on the description of controls relevant to security, svailability, processing Integrity, and confidentiality or privacy provided by the service organization and attests that the controls are suitably designed, implemented, and effective.
A control that limits an individual from having full elevated privileges during normal, day-to-day use.
Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form or characteristic, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to: personnel records, student records, research records, financial records, patient records and administrative records. Record formats/media include but are not limited to: email, electronic databases, electronic files, paper, audio, video and images (photographs).
Everyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, foundation employees, guests, and affiliates of any kind.
A level of permission that allows users to access specific resources on the workstation and network, such as data files, applications, printers and scanners.
A desktop computer terminal or laptop intended for business or professional use
A highly-skilled IT professional responsible for the upkeep, configuration, and reliable operation of a workstation such as a Local Support Partner (LSP) or Desktop Support Technician.
Report an Information
Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.