Search This Site

 

Main menu

Policy Alerts

This page lists any significant updates that have been made to UVA information technology policies, standards, or procedures. Unless otherwise noted below, all changes are effective immediately.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas or the UVA Help Desk by emailing 4help@virginia.edu or calling 434-924-4357. Background and additional information about these updated policies, standards, and procedures (PSPs) is on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns, please speak with your Local Support Partner (LSP) or email us at it-policy@virginia.edu.

To subscribe to these alerts, or change your subscription, please visit: https://lists.virginia.edu/sympa/subscribe/it-policy-alerts
 

Latest IT Policy changes and updates at the University of Virginia:

[Posted: Dec 2, 2022 3:15 PM]

Effective: December 2, 2022 

[Posted: Nov 1, 2022 4:15 PM]

The Electronic Access Requirements standard had non-substantive changes related to the elimination of the need for a paper version (aka Electronic Access Agreement). The first sentence that is under "2.

[Posted: Oct 12, 2022 3:15 PM]

The Report an Information Security Incident form had non-substantive changes to make it more clear that anyone should report any security incident involving UVA, not just employees or students at UVA.

[Posted: Sep 21, 2022 3:00 PM]

Effective: September 21, 2022 

[Posted: Sep 12, 2022 4:45 PM]

Effective: September 12, 2022 

On September 12, 2022, the Electronically Stored Information Release procedure webpage had non-substantive changes to the contact email and phone number for the Vice-President of Student Affairs office.  Also, the reference to the UVA Policy on Sexual and Gender-Based Harassment and Other Forms of Interpersonal Violence was dropped. 

[Posted: Aug 15, 2022 2:30 PM]

Effective: June 1,  2022 

On June 1, 2022 the Security of Network-Connected Devices standard had a non-substantive change that aligned the names and numbers of the severity of a security vulnerability to the names and numbers that Qualys, the vulnerability management software, uses in the additional requirements section of the standard.

[Posted: Aug 15, 2022 12:15 PM]

Effective: June 1, 2022 

On June 1, 2022 the Policy, Standards, and Procedures Exceptions Process webpage had non-substantive changes to identify the appropriate name of the reviewing group and drop the parenthetical comment about the Highly sensitive data (HSD) request form that the Exception process replaces. 

[Posted: Aug 15, 2022 11:45 AM]

Effective: June 1, 2022 

On June 1, 2022 the Information Security Risk Mangement standard was updated to remove the requirement for a department head to sign-off on the final departmental ISRM report.

[Posted: May 6, 2022 4:30 PM]

Effective: May 6, 2022 

The Information Security Risk Mangement procedure was updated to include the procedures and directions used to complete the Information Security Risk Management assessment in OneTrust for 2022.

In addition, the word "survey" was replaced with "tool" and "information security"  replaced where IT or Information Technology was used to refer to the information security risk assessment.

[Posted: Apr 20, 2022 4:15 PM]

Effective: April 1, 2022 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to release the new solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: Mar 14, 2022 3:15 PM]

Effective: March 14, 2022

[Posted: Jan 26, 2022 3:30 PM]

Effective: January 26, 2022

The standard, Vendor Security Review, has been amended to make clear that if a vendor will process, process, store, or transmit credit card information (aka PCI data or cardholder data (CHD)) the review of this vendor is completed by the University Payment Card Services office.  Please review this change to the standard for the details.

[Posted: Aug 3, 2021 4:00 PM]

Effective: August 3, 2021

A new standard, Responsible Disclosure was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the VP-CIO, Virginia Evans, on March 8, 2021. 

[Posted: Jul 12, 2021 10:30 AM]

Effective: June 2, 2021

[Posted: Jun 16, 2021 3:30 PM]

Effective: May 14, 2021 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to provide a solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: May 10, 2021 2:15 PM]

The Report an Information Security Incident form and its associated Report an Information Security Incident procedure had non-substantive changes to align the terms and names used to match the current titles and names (e.g., Health System instead of Medical Center), fix broken links,  and add to the list of Related Links.

[Posted: Apr 15, 2021 4:45 PM]

The electronically stored information (ESI) release standard and procedure were revised to make the University Records and Information Management (RIM) office the responsible party for

[Posted: Dec 18, 2020 3:30 PM]

Effective: December 18, 2020

The Authentication standard was substantially changed to such degree that it is not possible to list all the changes here.  Reviewing the revised standard carefully is highly recommended.

[Posted: Dec 14, 2020 12:00 PM]

Effective: December 8, 2020 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for six months while Information Security works to provide a process or solution to provide this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: Nov 24, 2020 3:30 PM]

Effective: November 24, 2020

Pages

Subscribe to Policy Alerts

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form