Policy Alerts

This page lists any significant updates that have been made to UVA information technology policies, standards, or procedures.  By clicking the button below, you can sign-up to receive an emaill notice whenever a new policy alert is created.  Unless otherwise noted below, all changes are effective immediately.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas or the UVA Help Desk by emailing [email protected] or calling 434-924-4357. Background and additional information about these updated policies, standards, and procedures (PSPs) is on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns, please speak with your Local Support Partner (LSP) or email us at [email protected].  

Subscribe or manage policy alerts email

Latest IT Policy changes and updates at the University of Virginia:

Last updated: 11/29/2023 - 3:49pm

Effective: November 29, 2023 the Vendor Security Review Standard webpage had non-substantive changes to update the UVA Wise Reviewers Sign off to be UVA Wise Director of Information Technology & CSO.

 

Last updated: 03/30/2023 - 11:32am

The standard, Security of Network-Connected Devices Standard, was extensively changed and renamed to Security of Connected Devices Standard.

Reviewing carefully the revised standard and is highly recommended.

CHANGED

Title of the standard to “Security of Connected Devices”

First subtitle dropped ‘Network-“and added “All” so title is: “Security Requirements for All Connected Devices”

Second subtitle dropped “managed” from subtitle, making the title: “Additional Security Requirements For Any Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting University Data”

Moved “Remove or disable unnecessary applications and services.” to the SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES section from the ADDITIONAL SECURITY REQUIREMENTS FOR ANY DEVICE ACCESSING, COLLECTING, GENERATING, PROCESSING, STORING, OR TRANSMITTING UNIVERSITY DATA

Existing item: Vulnerability detection solution (such as Qualys Cloud Agent) must be used on devices meeting the following criteria: changed to: Qualys Cloud Agent, the UVA licensed Vulnerability Management solution, must be installed, configured, and running.

Item: Logs are configured in such a way to prevent alteration or deletion. Re-worded to Device should be configured in such a way to prevent alteration or deletion of logs.

Item: Keep an inventory of devices up-to-date with all required information. Re-worded to: Schools and departments must keep an up-to-date inventory of all devices with all required information.

Under Additional Security Requirements For Email Services

  • Item: Should use a centralized authentication resource (e.g. Shibboleth, Active Directory) for account login. Re-worded to: Must use a centralized authentication resource (e.g., Shibboleth, Active Directory) or authentication resource approved by University Information Security for account login.

ADDED 

Under SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES

  • “from Information Security” to the existing item: Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception.
  • “(such as Microsoft Defender for Endpoints)” to the existing item: Antimalware software must be installed, kept up to date, and running.
  • “Any suspected or actual security incident is reported to Information Security within one hour.”

Under Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

  • Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University that access, collect, generate, process, or transmits University data must comply with the requirements described in this section. The UVA College at Wise, the Health System, University-Associated Organizations and student owned computers are excluded from the requirements described in this section.
  • “of patch release” to end of within N calendar days

Under Additional Security Requirements For Email Services

  • Must automatically send email and authentication logs to University Information Security’s Security Information and Event Management (SIEM) tool daily.
  • Must request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request in order send email as virginia.edu

Definitions

  • Device Inventory: is an up-to-date list of devices owned and/or managed by a department. The list must include: Business Unit, Device Owner, Device Owner’s Last Name, Device Owner’s First Name, Device Owner’s Computing ID, Device/Endpoint Manager, Device Name, Highest Data Sensitivity Accessed by Device, Shared or Single User Device, User Admin Level, Device Serial Number, Primary MAC/EHA address, Other MAC/EHA address, OS Version (Mac, PC, Linux), Other/Comments. If this list cannot be automatically by JAMF, KACE or similar software, then a spreadsheet similar in format to this example is acceptable. Click here for example spreadsheet.
  • Electronic device: is electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, servers, smart phones, and other mobile devices. For purposes of this definition, the term does not include IOT, networking, or medical devices.

REMOVED

Under ADDITIONAL SECURITY REQUIREMENTS FOR ANY DEVICE ACCESSING, COLLECTING, GENERATING, PROCESSING, STORING, OR TRANSMITTING UNIVERSITY DATA.

  • All sub-items under Vulnerability Detection solution must be used . . .
Last updated: 03/29/2023 - 12:01pm

A new standard, Email Alias Standard was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Dana German CIO.

Please review the details of this new standard

Last updated: 03/15/2023 - 9:03am

The External Physical Network Connections Standard and Connecting Network Equipment Standard are combined into Connecting Network Equipment Standard.

  • Added sentence fragment about external physical networks to the second paragraph.
  • Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.
  • Added sentence fragment about external physical networks to the second paragraph.
  • Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.
  • Added three bulleted items (out of eight) from External Physical Network Connections standard that were not in Connecting Network Equipment standard.
  • Added “connections” to bullet in Standard that says: Require removal of non-authorized networking connections, equipment, or infrastructure
  • Revised the list of wireless devices (e.g., “2.4 and 5.1 GHz wireless devices”)
    • wireless devices of any protocol that transmit on any Wi-Fi band or any frequency in the Citizens Broadband Radio Service (CBRS) band
Last updated: 03/15/2023 - 7:26am

The External Physical Network Connections Procedures and Connecting Network Equipment Procedures are combined into Connecting Network Equipment Procedures.

• Added sentence fragment about external physical networks to the second paragraph.

• Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.

Last updated: 01/11/2023 - 4:56am

The standard, University Data Protection Standard, removed the two exceptions, one for vulnerability scanning (Exception 268)  and one for periodic scanning for Highly Sensitive Data (HSD; Exception 230).  The requirement for periodic scanning for HSD was removed in the Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media standard.  Technical requirements, including whole disk encryption for individual-use devices on the HSVPN, replaced the requirement for periodic scanning for HSD on such devices. 
The requirement for networked-device vulnerability scans must be performed and remediated per the requirements in the Security of Network Connected Devices standard 

Reviewing carefully the revised standard is highly recommended.

 

Last updated: 12/19/2022 - 1:34pm

The standard, “Granting and Restricting Elevated Workstation Privileges", (or just "Elevated Workstation Privileges") was extensively changed and renamed to Administrative Privileges on University Endpoints Procedure.   The document was changed from a standard to a procedure because it details what steps you must take to be compliant.  In addition, the orientation was changed from user and privilege focus to being aligned with the UVA data classifications and elevated administrative privileges

Reviewing carefully the revised standard/new procedure is highly recommended.

CHANGED

The following phrases were changed:

The tables were simplified into one small table.  Please consult the actual procedure

ADDED 

Procedures for endpoint managers and the difference between temporary and persistent elevated administrative privileges.
The requirement of an asset inventory of all endpoints on which the assigned user has elevated administrative privileges.

New Related Links were added to the procedure

As with all our standards and procedure revisions, this one was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Jason Belford, CISO.

 A carefully review of the revised/new procedure is highly recommended.

Last updated: 12/16/2022 - 9:08am

A new procedure, Remediation of HSD in Email (O365) was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Jason Belford, CISO.

Please review the details of this new procedure

Last updated: 12/15/2022 - 9:47am

The standard, University Use of Highly Sensitive Data, was extensively change and renamed to Protection of Highly Sensitive Data Standard.   The standard was revised to describe what everyone must do to protect Highly Sensitive Data (HSD), not just what the University must do.   In addition, user procedures were contained in the old standard. This revision breaks these procedures,  appropriately, out into its own document Protection of Highly Sensitive Data Procedure.

Reviewing carefully the revised standard and new procedure is highly recommended.

CHANGED

The list of items was revised under “the University agrees to the following” in the Protecting Highly Sensitive Data During Use section to be what users agree to do (or not do) rather than the University. 

The item under the section, “Additional Controls Governing the Use of Social Security Numbers”  was included in a new section with two other items from the earlier list (and the section header removed).
It was made clear that these are things the University agrees not to do with HSD in general and SSNs in particular.

Approvals Required for New Use of HSD section was moved to the Procedure document with the same heading. 

ADDED 

The Purpose and Background was revised to specify the UVA agencies and users to which it applies as well as reference to the University of Virginia Data Protection of University Information (IRM-003) policy.

The requirement, which has existed for years, to have approval prior to storing HSD on an individual-use electronic device or media.

The Procedure  document did not exist before. It includes: 

  • Requirement for approval before storing HSD on HSD on individual-use electronic device or media  
  • A section on the requirements for Access to UVA systems with HSD
    •   All servers that have HSD are on a network that requires either the HSVPN or the HIT VPN or have been previously approved by InfoSec.
    •   HSVPN and Health Information & Technology (HIT) VPN audience and requirements
  • Additional detail about who to contact depending on what division you are in: Academic, Wise, UAO, or Health System.
  • Written Request Information” section that takes some information from the old standard in the “Approvals Required for New Use of HSD” section.  It was expanded to include who must request approval, from whom, providing what information. 

Multiple new Related Links were added to both the standard and the procedure

Last updated: 12/15/2022 - 9:46am

Effective October 12, 2022

The Report an Information Security Incident form had non-substantive changes to make it more clear that anyone should report any security incident involving UVA, not just employees or students at UVA.