Search This Site


Main menu

Policy Alerts

This page lists any significant updates that have been made to UVA information technology policies, standards, or procedures.  By clicking the button below, you can sign-up to receive an emaill notice whenever a new policy alert is created.  Unless otherwise noted below, all changes are effective immediately.

We encourage you to review and familiarize yourself with these changes and encourage you to seek assistance from technology experts (i.e. Local Support Partners) in your areas or the UVA Help Desk by emailing [email protected] or calling 434-924-4357. Background and additional information about these updated policies, standards, and procedures (PSPs) is on our Information Technology Policies, Standards, & Procedures webpage.  For questions or concerns, please speak with your Local Support Partner (LSP) or email us at [email protected].  

Subscribe or manage policy alerts email

Latest IT Policy changes and updates at the University of Virginia:

[Posted: Mar 24, 2023 11:45 AM]

A new standard, Email Alias Standard was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Dana German CIO.

Please review the details of this new standard

[Posted: Mar 14, 2023 1:15 PM]

The standard, Security of Network-Connected Devices Standard, was extensively changed and renamed to Security of Connected Devices Standard.

Reviewing carefully the revised standard and is highly recommended.


Title of the standard to “Security of Connected Devices”

First subtitle dropped ‘Network-“and added “All” so title is: “Security Requirements for All Connected Devices”

[Posted: Mar 15, 2023 11:15 AM]

The External Physical Network Connections Procedures and Connecting Network Equipment Procedures are combined into Connecting Network Equipment Procedures.

• Added sentence fragment about external physical networks to the second paragraph.

• Combined items in the “Standards” and “Procedures” section for the three areas (ITS-Managed Wired and Wireless Networks, and HIT-Managed Wired and Wireless Networks) of the documents.

[Posted: Jan 11, 2023 9:30 AM]

The standard, University Data Protection Standard, removed the two exceptions, one for vulnerability scanning (Exception 268)  and one for periodic scanning for Highly Sensitive Data (HSD; Exception 230).  The requirement for periodic scanning for 

[Posted: Dec 19, 2022 4:45 PM]

The standard, “Granting and Restricting Elevated Workstation Privileges", (or just "Elevated Workstation Privileges") was extensively changed and renamed to Administrative Privileges on University Endpoints Procedure.   The document was changed from a standard to a procedure because it details what steps you must

[Posted: Dec 15, 2022 2:45 PM]

A new procedure, Remediation of HSD in Email (O365) was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the Jason Belford, CISO.

Please review the details of this new procedure

[Posted: Dec 2, 2022 3:15 PM]

The standard, University Use of Highly Sensitive Data, was extensively change and renamed to Protection of Highly Sensitive Data Standard.   The standard was revised to describe what everyone must do to protect Highly Sensitive Data (HSD), not just what the University must do

[Posted: Nov 1, 2022 4:15 PM]

The Electronic Access Requirements standard had non-substantive changes related to the elimination of the need for a paper version (aka Electronic Access Agreement). The first sentence that is under "2.

[Posted: Oct 12, 2022 3:15 PM]

Effective October 12, 2022

The Report an Information Security Incident form had non-substantive changes to make it more clear that anyone should report any security incident involving UVA, not just employees or students at UVA.

[Posted: Sep 12, 2022 4:45 PM]

Effective: September 12, 2022 

On September 12, 2022, the Electronically Stored Information Release procedure webpage had non-substantive changes to the contact email and phone number for the Vice-President of Student Affairs office.  Also, the reference to the UVA Policy on Sexual and Gender-Based Harassment and Other Forms of Interpersonal Violence was dropped. 

[Posted: Aug 15, 2022 2:30 PM]

Effective: June 1,  2022 

On June 1, 2022 the Security of Network-Connected Devices standard had a non-substantive change that aligned the names and numbers of the severity of a security vulnerability to the names and numbers that Qualys, the vulnerability management software, uses in the additional requirements section of the standard.

[Posted: Aug 15, 2022 12:15 PM]

Effective: June 1, 2022 

On June 1, 2022 the Policy, Standards, and Procedures Exceptions Process webpage had non-substantive changes to identify the appropriate name of the reviewing group and drop the parenthetical comment about the Highly sensitive data (HSD) request form that the Exception process replaces. 

[Posted: Aug 15, 2022 11:45 AM]

Effective: June 1, 2022 

On June 1, 2022 the Information Security Risk Mangement standard was updated to remove the requirement for a department head to sign-off on the final departmental ISRM report.

[Posted: May 6, 2022 4:30 PM]

Effective: May 6, 2022 

The Information Security Risk Mangement procedure was updated to include the procedures and directions used to complete the Information Security Risk Management assessment in OneTrust for 2022.

In addition, the word "survey" was replaced with "tool" and "information security"  replaced where IT or Information Technology was used to refer to the information security risk assessment.

[Posted: Apr 20, 2022 4:15 PM]

Effective: April 1, 2022 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to release the new solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

[Posted: Mar 14, 2022 3:15 PM]

Effective: March 14, 2022

[Posted: Jan 26, 2022 3:30 PM]

Effective: January 26, 2022

The standard, Vendor Security Review, has been amended to make clear that if a vendor will process, process, store, or transmit credit card information (aka PCI data or cardholder data (CHD)) the review of this vendor is completed by the University Payment Card Services office.  Please review this change to the standard for the details.

[Posted: Aug 3, 2021 4:00 PM]

Effective: August 3, 2021

A new standard, Responsible Disclosure was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the VP-CIO, Virginia Evans, on March 8, 2021. 


Subscribe to Policy Alerts

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form