Information Policy Library

This library serves as a central repository for all UVA information technology (IT) resource policies, standards, and procedures. The creation of a single location that consolidates the information policy areas and their associated standards, procedures, and guidelines should facilitate compliance initiatives across the UVA community.  These policies address the management of IT resources and University information to provide the framework for minimizing risk to these valuable assets. 

All users of UVA IT resources are encouraged to review and familiarize themselves with these areas of policies, standards, and procedures below and to seek assistance from technology experts (i.e. Local Support Partners) in the unit areas.

Each information policy, standard, and procedure is reviewed at least once every three years and updated as appropriate.

For questions or concerns please speak with your Local Support Partner (LSP) or email University Information Security at [email protected].

Policy Alerts

Highlights the changes made to UVA information policies, standards, and procedures. Unless otherwise noted, all changes are effective immediately. 

Acceptable Use

All users of University information technology (IT) resources are required to use them in an ethical, professional, and legal manner.

Policy

Acceptable Use of the University’s Information Technology Resources (IRM-002)

 

Data Protection

Users must comply with all University policies and standards for the data to which they have been granted the ability to view, copy, generate, transmit, store, download, or otherwise acquire, access, remove, or destroy. Users must also meet any additional compliance requirements for data protection stipulated by various governmental, legal, or contractual entities.

Policy

Data Protection of University Information (IRM-003)

Procedures

Electronic Data Removal Procedures

Electronically Stored Information Release Procedures

Highly Sensitive Data Protection Procedures for Individual-Use Electronic Devices or Media  >> Replaced by Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media

Protection of Highly Sensitive Data Procedures

Remediation of Highly Sensitive Data in Email (O365)

External Assessment Review Procedures > Replaced by Vendor Security Review Standard

Procedures on the Use of Data Loss Prevention (DLP) Tools   No longer licensed.

 

Information Security

Owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources.

Policy

Information Security of University Technology Resources (IRM-004)

 

Privacy & Confidentiality

The University is committed to the privacy of individuals and to safeguarding information about individuals subject to limitations imposed by local, state, and federal law and other provisions described in the policies, standards, and procedures listed below.  The University, as steward of public resources and electronic information, shall respond to requests for electronic information in an orderly manner consistent with state and federal law and the policies, standards, and procedures listed below.

Policy

Privacy and Confidentiality of University Information (IRM-012

 

Exceptions

We understand the need for flexibility in becoming compliant with the updated policies, so a new process has been developed to request exceptions to a policy, standard, or procedure. There must be a legitimate business reason and proof that any potential risks will be mitigated before placing an exception request.

Additional Resources