Search This Site

 

Main menu

Policy Alerts

This page lists any significant updates that have been made to UVA information technology policies, standards, or procedures. Unless otherwise noted below, all changes are effective immediately.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas or the UVA Help Desk by emailing 4help@virginia.edu or calling 434-924-4357. Background and additional information about these updated policies, standards, and procedures (PSPs) is on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns, please speak with your Local Support Partner (LSP) or email us at it-policy@virginia.edu.

Latest IT Policy changes and updates at the University of Virginia:

[Posted: May 6, 2022 4:30 PM]

Effective: May 6, 2022 

The Information Security Risk Mangement procedure was updated to include the procedures and directions used to complete the Information Security Risk Management assessment in OneTrust for 2022.

[Posted: Apr 20, 2022 4:15 PM]

Effective: April 1, 2022 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to release the new solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: Mar 14, 2022 3:15 PM]

Effective: March 14, 2022

[Posted: Jan 26, 2022 3:30 PM]

Effective: January 26, 2022

The standard, Vendor Security Review, has been amended to make clear that if a vendor will process, process, store, or transmit credit card information (aka PCI data or cardholder data (CHD)) the review of this vendor is completed by the University Payment Card Services office.  Please review this change to the standard for the details.

[Posted: Aug 3, 2021 4:00 PM]

Effective: August 3, 2021

A new standard, Responsible Disclosure was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the VP-CIO, Virginia Evans, on March 8, 2021. 

[Posted: Jul 12, 2021 10:30 AM]

Effective: June 2, 2021

[Posted: Jun 16, 2021 3:30 PM]

Effective: May 14, 2021 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to provide a solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: May 10, 2021 2:15 PM]

The Report an Information Security Incident form and its associated Report an Information Security Incident procedure had non-substantive changes to align the terms and names used to match the current titles and names (e.g., Health System instead of Medical Center), fix broken links,  and add to the list of Related Links.

[Posted: Apr 15, 2021 4:45 PM]

The electronically stored information (ESI) release standard and procedure were revised to make the University Records and Information Management (RIM) office the responsible party for

[Posted: Dec 18, 2020 3:30 PM]

Effective: December 18, 2020

The Authentication standard was substantially changed to such degree that it is not possible to list all the changes here.  Reviewing the revised standard carefully is highly recommended.

[Posted: Dec 14, 2020 12:00 PM]

Effective: December 8, 2020 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for six months while Information Security works to provide a process or solution to provide this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: Nov 24, 2020 3:30 PM]

Effective: November 24, 2020

[Posted: Nov 23, 2020 1:30 PM]

Effective: November 13, 2020 

[Posted: Nov 17, 2020 3:00 PM]

Non-substantive change

[Posted: Nov 5, 2020 5:00 PM]

Effective: November 5, 2020

This standard was substantially changed to a degree that it is not possible to list all the changes.  Reviewing the revised standard carefully is highly recommended 

Changed

  • Revised Purpose and Background section to be simpler, shorter, more readable.
  • Combined and revised the three sections
    • Security Requirements For Networked Devices,

[Posted: Oct 29, 2020 2:00 PM]

Non-Substantive change to the University Data Protection Standards

[Posted: Oct 23, 2020 2:00 PM]

Substantivie change:  On October 22, 2020, the University of Virginia's Vice-President for Research office emailed and published on their website information about prohibitions on procurement and use of certain software and services.  Of particular note for information security,  federal regulations (enacted in the 2018 NDAA, Sec.

[Posted: Sep 9, 2020 5:00 PM]

Several changes were made to the University Data Protection Standard 3.0.

Substantive changes

[Posted: Jul 1, 2020 11:30 AM]

The Electronic Access Requirements (aka Electronic Access Agreement (EAA)) was revised to add:  "I will not use UVA IT resources to access or disclose the address, email address or phone number of a student unless I have a legitimate educational interest in that information." and the definition of "legitimate educational interest".

[Posted: Apr 30, 2020 11:30 AM]

Effective April 28, 2020 

The Vendor Security Review Standard was revised to add UVA Wise to the Risk Rating and Sign-off tables.  The roles at UVA Wise that must review and sign-off on a vendor security review at UVA Wise were added to a new column in these tables. 

Pages

Subscribe to Policy Alerts

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form