Search Information Security site

 

Main menu

External Assessment Review Procedure

Superseded by the Vendor Security Review Standard

 

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) SOC 2 Report Reviews - New
     b) SOC 2 Report Reviews - Annual
     c) Other Acceptable External Assessments
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

[Return to Library]

1.  Purpose and Background

The University Data Protection Standards include requirements for the review of third party vendors that handle Highly Sensitive Data (HSD) and/or for services or applications  that have been identified as mission critical (i.e., essential for the continuity of operations at the University).  Given the risks involved for services of these types, University information security standards require that all business owners who engage third party vendors that handle HSD and/or identified mission critical services or applications to provide an externally validated risk assessment during the initial procurement process and on an annual basis.  This procedure outlines the  responsibilities and process for obtaining these externally validated risk assessments and reviewing them.

[Table of Contents]

2.  Procedures

SOC 2 Report Reviews - New

Business owners whose department is procuring a cloud vendor or service that handles data defined by UVA policy as  Highly Sensitive Data (HSD) or provides a service or application that has been previously identified as mission critical must obtain a SOC 2 report from the appropriate vendor for such service or application.  This requirement is in addition to the requirement that vendors meeting this criteria must receive a review from the appropriate Information Security office (as defined below).

If the Business unit is in the Health System, at the same time they make the request for a SOC 2 report, they notify the Health Information & Technology Information Security office at [email protected].

If the Business unit is on the Academic side of the University, at the same time they make the request for a SOC 2 report, they notify the University Information Security office at [email protected].

If a SOC 2 report is available, the business unit forwards said report to the same email address they used to notify the appropriate  Information Security office about the request.

After a review is performed, a risk rating is applied of high, medium, or low.  The risk ratings and the associated required steps are as follows:

High Risk: Health System SOC 2 report analyses for this risk level must be reviewed by the Health System CITO and the appropriate Service Line Chief/Administrator.  Academic SOC 2 report analyses for this risk level must be reviewed by the Academic CIO and the appropriate Executive Vice President.  These analyses must also be reviewed by the business head or designee.

  • IF APPROVED, appropriate Information Security team documents the approval and the business unit continues to use the service.  The business unit notes the annual requirement for review.
  • IF REJECTED, appropriate Information Security team documents the rejection and the purchase does not proceed.

Medium Risk: Health System SOC 2 report analyses for this risk level must be reviewed by the appropriate Service Line Chief/Administrator and by the business head or designee.  Academic SOC 2 report analyses for this risk level must be reviewed by the Dean or VP of the appropriate business unit and by the business head or designee.

  • IF APPROVED, appropriate Information Security team documents the approval and the business unit continues to use the service.  The business unit notes the annual requirement for review.
  • IF REJECTED, appropriate Information Security team documents the rejection and the purchase does not proceed.

Low Risk: Business head or designee is notified of the risk rating and the purchase proceeds.  The business unit notes the annual requirement for review.

SOC 2 Report Reviews - Annual

On an annual basis, business owners whose department has a cloud vendor or service that handles data defined by UVA policy as  Highly Sensitive Data (HSD) or provides a service or application that has been previously identified as mission critical must annually obtain a SOC 2 report from the appropriate vendor for such service or application.

If the Business unit is in the Health System, at the same time they make the request for a SOC 2 report, they notify the Health Information & Technology Information Security office at [email protected].

If the Business unit is on the Academic side of the University, at the same time they make the request for a SOC 2 report, they notify the University Information Security office at [email protected].

If a SOC 2 report is available, the business unit forwards said report to the same email address they used to notify the appropriate  Information Security office about the request.

After a review is performed, a risk rating is applied of high, medium, or low.  The risk ratings and the associated required steps are as follows:

High Risk: Health System SOC 2 report analyses for this risk level must be reviewed by the Health System CITO and the appropriate Service Line Chief/Administrator.  Academic SOC 2 report analyses for this risk level must be reviewed by the Academic CIO and the appropriate Executive Vice President.  These analyses must also be reviewed by the business head or designee.

  • IF APPROVED, appropriate Information Security team documents the approval and the business unit continues to use the service.
  • IF REJECTED, appropriate Information Security team documents the rejection and the business unit works with the appropriate stakeholders to discontinue use.

Medium Risk: Health System SOC 2 report analyses for this risk level must be reviewed by the appropriate Service Line Chief/Administrator and by the business head or designee.  Academic SOC 2 report analyses for this risk level must be reviewed by the Dean or VP of the appropriate business unit and by the business head or designee.

  • IF APPROVED, appropriate Information Security team documents the approval and the business unit continues to use the service.
  • IF REJECTED, appropriate Information Security team documents the rejection and the business unit works with the appropriate stakeholders to discontinue use or appeal to Health System CEO or Academic EVP for continuing use.

Low Risk: Business head or designee is notified of the risk rating and continues to use the service.

Other Acceptable External Assessments

In cases where a SOC 2 report is unavailable from a vendor, an alternative external assessment can be provided for review so long as the external assessment meets the following criteria:

  • The external assessment covers data protection, privacy, and security controls in place for the vendor.
  • An organization independent of the vendor (e.g. auditing firm) prepares and signs off on the external assessment.
  • The controls described by the external assessment are representative of the vendor's current state.

Where an external assessment is provided in place of a SOC 2 report, the SOC 2 report procedures for receipt and review applies to the external assessment.

[Table of Contents]

3.  Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4.  Related Links

[Table of Contents]

5.  Further Guidance

[Table of Contents]

6.  Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: CHIEF INFORMATION SECURITY OFFICER

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form