Search Information Security site


Main menu

Policy Alerts

This page lists any significant updates that have been made to UVA information technology policies, standards, or procedures. Unless otherwise noted below, all changes are effective immediately.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas or the UVA Help Desk by emailing [email protected] or calling 434-924-4357. Background and additional information about these updated policies, standards, and procedures (PSPs) is on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns, please speak with your Local Support Partner (LSP) or email us at [email protected].

Latest IT Policy changes and updates at the University of Virginia:

[Posted: Apr 15, 2021 4:45 PM]

The electronically stored information (ESI) release standard and procedure were revised to make the University Records and Information Management (RIM) office the responsible party for

[Posted: Dec 18, 2020 3:30 PM]

Effective: December 18, 2020

The Authentication standard was substantially changed to such degree that it is not possible to list all the changes here.  Reviewing the revised standard carefully is highly recommended.

[Posted: Dec 14, 2020 12:00 PM]

Effective: December 8, 2020 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for six months while Information Security works to provide a process or solution to provide this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: Nov 24, 2020 3:30 PM]

Effective: November 24, 2020

[Posted: Nov 23, 2020 1:30 PM]

Effective: November 13, 2020 

[Posted: Nov 17, 2020 3:00 PM]

Non-substantive change

[Posted: Nov 5, 2020 5:00 PM]

Effective: November 5, 2020

This standard was substantially changed to a degree that it is not possible to list all the changes.  Reviewing the revised standard carefully is highly recommended 


  • Revised Purpose and Background section to be simpler, shorter, more readable.
  • Combined and revised the three sections
    • Security Requirements For Networked Devices,

[Posted: Oct 29, 2020 2:00 PM]

Non-Substantive change to the University Data Protection Standards

[Posted: Oct 23, 2020 2:00 PM]

Substantivie change:  On October 22, 2020, the University of Virginia's Vice-President for Research office emailed and published on their website information about prohibitions on procurement and use of certain software and services.  Of particular note for information security,  federal regulations (enacted in the 2018 NDAA, Sec.

[Posted: Sep 9, 2020 5:00 PM]

Several changes were made to the University Data Protection Standard 3.0.

Substantive changes

[Posted: Jul 1, 2020 11:30 AM]

The Electronic Access Requirements (aka Electronic Access Agreement (EAA)) was revised to add:  "I will not use UVA IT resources to access or disclose the address, email address or phone number of a student unless I have a legitimate educational interest in that information." and the definition of "legitimate educational interest".

[Posted: Apr 30, 2020 11:30 AM]

Effective April 28, 2020 

The Vendor Security Review Standard was revised to add UVA Wise to the Risk Rating and Sign-off tables.  The roles at UVA Wise that must review and sign-off on a vendor security review at UVA Wise were added to a new column in these tables. 

[Posted: Mar 20, 2020 8:40 AM]

Effective March 20, 2020

Non-Substantive change: The term moderately sensitive data has been changed to sensitive dataThe definition remains the same.

Data, records, and files that:

[Posted: Mar 10, 2020 1:45 PM]

Effective February 12, 2020
The External Assessment Review Procedure has been revised based on feedback from a committee of stakeholders.  It is now a standard, named the Vendor Security Review Standard.
While it went from a procedure to a standard, most of the requirements from the procedure remain unchanged.  

---------  Read More  ---------------------

What was changed: 

[Posted: Feb 13, 2020 1:45 PM]

The Electronic Access Requirements standard (aka Electronic Access Agreement) had non-substantive changes to fix broken links, add to the list of Related Links and explicitly reference the University's Acceptable Use of the University’s Information Technology Resources (IRM-002) policy in the standard's Purpose and Background section.

[Posted: Jan 28, 2020 10:45 AM]

Our webpage on the ITS Guidance for Use of Personal Accounts or Redirection for University Email has been updated to re-direct you to the ITS webpage on the same topic - ITS Guidance for Use of Personal Accounts or Redirection for University Email (KB0012593)  Our webpage listed the same information that was on the ITS webpage, so to reduce confusion and out-of-sync information, we are referring to their webpage. 

[Posted: Jan 17, 2020 2:13 PM]

The Accounts Provisioning & Deprovisioning Guidance webpage was edited to removed the table that listed Affiliation, Obtain or Activate Accounts and Account Expiration and redirect readers to the ITS webpage that lists this same information - the ITS Accounts & Access webpage 

Subscribe to Policy Alerts

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form