Policy Alerts

Effective: September 21, 2022 the Accounts Provisioning and Deprovisioning standard webpage had non-substantive changes to remove references to ESharp and instead point users to the replacement information on the ITS website.  

Effective: September 12, 2022 

On September 12, 2022, the Electronically Stored Information Release procedure webpage had non-substantive changes to the contact email and phone number for the Vice-President of Student Affairs office.  Also, the reference to the UVA Policy on Sexual and Gender-Based Harassment and Other Forms of Interpersonal Violence was dropped. 

Effective: June 1, 2022 

On June 1, 2022 the Information Security Risk Mangement standard was updated to remove the requirement for a department head to sign-off on the final departmental ISRM report.

Also revised to remove the use of email to contact departments as well as a survey to complete the Information Security Risk Management assessment.  A tool, OneTrust, is used to complete the ISRM assessment. The phrase "information security" replaced where IT or Information Technology was used to refer to the information security risk assessment.

Please review the details of this standard as well as the procedure with which it is associated.

Effective: June 1,  2022 

On June 1, 2022 the Security of Network-Connected Devices standard had a non-substantive change that aligned the names and numbers of the severity of a security vulnerability to the names and numbers that Qualys, the vulnerability management software, uses in the additional requirements section of the standard.

Effective: June 1, 2022 

On June 1, 2022 the Policy, Standards, and Procedures Exceptions Process webpage had non-substantive changes to identify the appropriate name of the reviewing group and drop the parenthetical comment about the Highly sensitive data (HSD) request form that the Exception process replaces. 

Effective: May 6, 2022 

The Information Security Risk Mangement procedure was updated to include the procedures and directions used to complete the Information Security Risk Management assessment in OneTrust for 2022.

In addition, the word "survey" was replaced with "tool" and "information security"  replaced where IT or Information Technology was used to refer to the information security risk assessment.

Please review the details of this procedure as well as the standard with which it is associated.

Effective: April 1, 2022 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to release the new solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

Effective: March 14, 2022

The Authentication standard, has been amended to make clear that all administrators or those who create accounts of any kind must follow the standard.  Also added is a statement to require the use of  UVA approved single-sign-on (SSO) applications (e.g., Netbadge) if you're accepting UVA or UVA Health passwords.  As well as slight changes for clarity to the two tables and clear statement that the HSVPN is required for user access to HSD in the Academic Division.  Please review these changes to the standard for the details.

This change approved by the VP-CIO, Virginia Evans, on January 5, 2022

Effective: January 26, 2022

The standard, Vendor Security Review, has been amended to make clear that if a vendor will process, process, store, or transmit credit card information (aka PCI data or cardholder data (CHD)) the review of this vendor is completed by the University Payment Card Services office.  Please review this change to the standard for the details.

This change approved by the VP-CIO, Virginia Evans, on January 21, 2022

Effective: August 3, 2021

A new standard, Responsible Disclosure was reviewed by the Information Technology Services (ITS) directors, the Security Advisory Committee, and the Information Security leadership team and approved by the VP-CIO, Virginia Evans, on March 8, 2021. 

Please review the details of this new standard.