Policy Alerts

This page lists any significant updates that have been made to UVA information technology policies, standards, or procedures.  By clicking the button below, you can sign-up to receive an email notice whenever a new policy alert is created.  Unless otherwise noted below, all changes are effective immediately.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas or the UVA Help Desk by emailing [email protected] or calling 434-924-4357. Background and additional information about these updated policies, standards, and procedures (PSPs) is on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns, please speak with your Local Support Partner (LSP) or email us at [email protected].  

Subscribe or manage policy alerts email

Latest IT Policy changes and updates at the University of Virginia:

Last updated: 12/06/2024 - 3:05pm

The Security of Connected Devices Standard was extensively changed.

Reviewing carefully the revised standard is highly recommended.

CHANGED

Under 2 b) Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

Existing item: 

The Health System 

changed to

The Medical Center

Existing item: 

Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University  

changed to

Computers owned by the Academic Division of the University, an employee of the Academic Division, sponsored account of the University, or student worker  

Existing item: 

student owned computers are excluded 

changed to

student owned computers not accessing University Academic data are excluded

ADDED 

Under 2 b)  Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

  • Antimalware and Microsoft Defender
    • All electronic devices capable of installing and running Endpoint Detection and Response (EDR) real-time antimalware protection must do so.
    • All servers utilizing a Microsoft Windows Operating System must install and run Microsoft Defender for Cloud Plan 1 or Plan 2 by January 1, 2025. See  Microsoft Defender for Servers.
    • All servers utilizing a Linux Operating System must install and run Microsoft Defender for Cloud Plan 1 or Plan 2 by July 1, 2025. See Microsoft Defender for Servers.
    • Non-server electronic devices utilizing an operating system supported by Microsoft Defender for Endpoint should install Microsoft Defender for Endpoint Plan 2. See Microsoft Defender for Endpoints (MDE).
  • Organizations not employing the ITS Academic M365 tenant’s MDC or MDE must:
    • Forward logs MDS and MDE logs to the Enterprise Logging Service (Splunk)
    • Implement security configuration settings at the same or higher level than the ITS tenant
    • Provide ITS Information Security personnel full access to the tenant security portal

 

Under 2 c) Additional Security Requirements for Email Services

  • All email service providers sending or receiving email with a virginia.edu domain or sub-domain must:
    • request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request 
    • AND have EITHER 
      • a DMARC p=reject policy 
      • OR 
      • a Sender Policy Framework (SPF) record configured to hard fail
Last updated: 07/23/2024 - 9:48am

Effective: July 23, 2024 

On July 23, 2024 the Electronically Stored Information Release Standard had non-substantive changes to update the links for submitting Electronically Stored Information request to Records and Information Management (RIM) office. 

The Standard was reviewed and the Next Scheduled Review date set to 7/23/2027.

Last updated: 11/29/2023 - 3:49pm

Effective: November 29, 2023 the Vendor Security Review Standard webpage had non-substantive changes to update the UVA Wise Reviewers Sign off to be UVA Wise Director of Information Technology & CSO.

 

Last updated: 03/30/2023 - 11:32am

The standard, Security of Network-Connected Devices Standard, was extensively changed and renamed to Security of Connected Devices Standard.

Reviewing carefully the revised standard and is highly recommended.

CHANGED

Title of the standard to “Security of Connected Devices”

First subtitle dropped ‘Network-“and added “All” so title is: “Security Requirements for All Connected Devices”

Second subtitle dropped “managed” from subtitle, making the title: “Additional Security Requirements For Any Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting University Data”

Moved “Remove or disable unnecessary applications and services.” to the SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES section from the ADDITIONAL SECURITY REQUIREMENTS FOR ANY DEVICE ACCESSING, COLLECTING, GENERATING, PROCESSING, STORING, OR TRANSMITTING UNIVERSITY DATA

Existing item: Vulnerability detection solution (such as Qualys Cloud Agent) must be used on devices meeting the following criteria: changed to: Qualys Cloud Agent, the UVA licensed Vulnerability Management solution, must be installed, configured, and running.

Item: Logs are configured in such a way to prevent alteration or deletion. Re-worded to Device should be configured in such a way to prevent alteration or deletion of logs.

Item: Keep an inventory of devices up-to-date with all required information. Re-worded to: Schools and departments must keep an up-to-date inventory of all devices with all required information.

Under Additional Security Requirements For Email Services

  • Item: Should use a centralized authentication resource (e.g. Shibboleth, Active Directory) for account login. Re-worded to: Must use a centralized authentication resource (e.g., Shibboleth, Active Directory) or authentication resource approved by University Information Security for account login.

ADDED 

Under SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES

  • “from Information Security” to the existing item: Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception.
  • “(such as Microsoft Defender for Endpoints)” to the existing item: Antimalware software must be installed, kept up to date, and running.
  • “Any suspected or actual security incident is reported to Information Security within one hour.”

Under Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

  • Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University that access, collect, generate, process, or transmits University data must comply with the requirements described in this section. The UVA College at Wise, the Health System, University-Associated Organizations and student owned computers are excluded from the requirements described in this section.
  • “of patch release” to end of within N calendar days

Under Additional Security Requirements For Email Services

  • Must automatically send email and authentication logs to University Information Security’s Security Information and Event Management (SIEM) tool daily.
  • Must request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request in order send email as virginia.edu

Definitions

  • Device Inventory: is an up-to-date list of devices owned and/or managed by a department. The list must include: Business Unit, Device Owner, Device Owner’s Last Name, Device Owner’s First Name, Device Owner’s Computing ID, Device/Endpoint Manager, Device Name, Highest Data Sensitivity Accessed by Device, Shared or Single User Device, User Admin Level, Device Serial Number, Primary MAC/EHA address, Other MAC/EHA address, OS Version (Mac, PC, Linux), Other/Comments. If this list cannot be automatically by JAMF, KACE or similar software, then a spreadsheet similar in format to this example is acceptable. Click here for example spreadsheet.
  • Electronic device: is electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, servers, smart phones, and other mobile devices. For purposes of this definition, the term does not include IOT, networking, or medical devices.

REMOVED

Under ADDITIONAL SECURITY REQUIREMENTS FOR ANY DEVICE ACCESSING, COLLECTING, GENERATING, PROCESSING, STORING, OR TRANSMITTING UNIVERSITY DATA.

  • All sub-items under Vulnerability Detection solution must be used . . .
Last updated: 03/29/2023 - 12:01pm

A new standard, Email Alias Standard was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Dana German CIO.

Please review the details of this new standard

Last updated: 03/15/2023 - 9:03am

The External Physical Network Connections Standard and Connecting Network Equipment Standard are combined into Connecting Network Equipment Standard.

  • Added sentence fragment about external physical networks to the second paragraph.
  • Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.
  • Added sentence fragment about external physical networks to the second paragraph.
  • Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.
  • Added three bulleted items (out of eight) from External Physical Network Connections standard that were not in Connecting Network Equipment standard.
  • Added “connections” to bullet in Standard that says: Require removal of non-authorized networking connections, equipment, or infrastructure
  • Revised the list of wireless devices (e.g., “2.4 and 5.1 GHz wireless devices”)
    • wireless devices of any protocol that transmit on any Wi-Fi band or any frequency in the Citizens Broadband Radio Service (CBRS) band
Last updated: 03/15/2023 - 7:26am

The External Physical Network Connections Procedures and Connecting Network Equipment Procedures are combined into Connecting Network Equipment Procedures.

• Added sentence fragment about external physical networks to the second paragraph.

• Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.

Last updated: 01/11/2023 - 4:56am

The standard, University Data Protection Standard, removed the two exceptions, one for vulnerability scanning (Exception 268)  and one for periodic scanning for Highly Sensitive Data (HSD; Exception 230).  The requirement for periodic scanning for HSD was removed in the Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media standard.  Technical requirements, including whole disk encryption for individual-use devices on the HSVPN, replaced the requirement for periodic scanning for HSD on such devices.  
The requirement for networked-device vulnerability scans must be performed and remediated per the requirements in the Security of Network Connected Devices standard 

Reviewing carefully the revised standard is highly recommended.

Last updated: 12/19/2022 - 1:34pm

The standard, “Granting and Restricting Elevated Workstation Privileges", (or just "Elevated Workstation Privileges") was extensively changed and renamed to Administrative Privileges on University Endpoints Procedure.   The document was changed from a standard to a procedure because it details what steps you must take to be compliant.  In addition, the orientation was changed from user and privilege focus to being aligned with the UVA data classifications and elevated administrative privileges

Reviewing carefully the revised standard/new procedure is highly recommended.

CHANGED

The following phrases were changed:

The tables were simplified into one small table.  Please consult the actual procedure

ADDED 

Procedures for endpoint managers and the difference between temporary and persistent elevated administrative privileges
The requirement of an asset inventory of all endpoints on which the assigned user has elevated administrative privileges.

New Related Links were added to the procedure

As with all our standards and procedure revisions, this one was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Jason Belford, CISO.

 A carefully review of the revised/new procedure is highly recommended.

Last updated: 12/16/2022 - 9:08am

A new procedure, Remediation of HSD in Email (O365) was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Jason Belford, CISO.

Please review the details of this new procedure