Policy Alerts

Effective: May 14, 2021 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for another six months while Information Security works to provide a solution that offers this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

The Report an Information Security Incident form and its associated Report an Information Security Incident procedure had non-substantive changes to align the terms and names used to match the current titles and names (e.g., Health System instead of Medical Center), fix broken links,  and add to the list of Related Links.

The electronically stored information (ESI) release standard and procedure were revised to make the University Records and Information Management (RIM) office the responsible party for ESI release requests. Therefore, anywhere the (ESI) release standard and procedure said to email University Information Security's IT Compliance group about an ESI request was replaced with instructions to submit the request via the RIM office's Request for Electronically Stored Information (ESI) form in ITS ServiceNow.

Questions and concerns about these revisions should be emailed to [email protected]. 

Effective: December 18, 2020

The Authentication standard was substantially changed to such degree that it is not possible to list all the changes here.  Reviewing the revised standard carefully is highly recommended.

CHANGED

• All references to  "UVA Identity Token combined with JointVPN or HSVPN connection" were replaced with "UVA-approved two-factor authentication (e.g. Duo-based High Security VPN)"
• Use of "physical token" to "hardware token" to be consistent with terminology elsewhere in the standard.
• Password length and complexity in general from 8 characters and 3 of 4 character classes OR passwords of more than 20 characters two character classes to 12 characters and three of four character classes.
• "should" to "must" for current password should differ from the user's previous 24 passwords.
• Clarified and defined the difference between a administrative account and a service account.
• Overall format of sections with bulletted items to two tables listing requirements.
• The Purpose and Background was revised to specify the policy under which this standard falls (IRM-002)

ADDED 

• Clear text passwords or passcodes must never be sent via email or printed.
• Changed the format of the User Authentication Requirements from bulleted text to two tables to simplify and make easier to understand.
  • Separated into their own columns “Administrative access to servers” and “service or server administration accounts (non-user accounts) based on feedback.
  • Recommend the use of a different (separate) account for server administration and management than is used for non-administrative access.
• Required Reporting  section.
• Multiple new Related Links were added.  

REMOVED

• “moderately" in front of "sensitive data"

Effective: November 24, 2020

The standard and procedure for Highly Sensitive Data Protection for Individual-Use Electronic Devices or Media were extensively change. The procedure was removed because it has been superseded by the Policy, Standards, and Procedures Exceptions standard as the way to request storage of HSD on individual-use electronic devices and media.  The existing Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media was  changed to such degree that it is not possible to list all the changes here.  Reviewing the revised standard carefully is highly recommended.

CHANGED

Changed the section from the Procedures titled Destruction of Official University Records to Secure Deletion of Files and added items about data removal here.
 

ADDED 

The Purpose and Background was revised to specify the UVA agencies and users to which it applies as well as reference to the University of Virginia Data Protection of University Information (IRM-003) policy.

Four new sections (some items from old sections of the standard and procedure were incorporated into these).

• User’s Responsibilities 
• Required Approval for Storage of HSD on any individual-use electronic device or media
• Required Reporting of the Loss of Highly Sensitive Data (HSD)
• Secure Deletion of Files

Unauthorized disclosure was included and defined. 

Multiple new Related Links were added.  

REMOVED

The section FINDING AND REMOVING HIGHLY SENSITIVE DATA (HSD) which included a requirement for quarterly scanning of individual-use devices for HSD and remediation if found. This section was removed because: 

• the requirement is covered in the University Data Protection Standards
• it is not appropriate in this standard because if storage of HSD is approved, scanning for HSD is not required (or necessary).
• it is better covered in the “Protection of HSD” standard that is being revised from the current University Use of HSD standard).

The section in the Procedure: REQUIRED SAFEGUARDS FOR STORAGE OF HSD ON INDIVIDUAL-USE ELECTRONIC DEVICES OR MEDIA was revised and incorporated into a new section.

RELATED LINKS: 

• Highly Sensitive Data on Individual Use Procedure
• Highly Sensitive Data Storage Request Form (approvalform.doc) [no longer needed, use the Exception Request process instead.

Effective: December 8, 2020 

The vulnerability scanning requirement for all network connected managed devices to be scanned has been rescinded for six months while Information Security works to provide a process or solution to provide this service as required in the standard. 

Please review the details of the exception and its compensating controls as well as the standards to which this exception applies.

Effective: November 13, 2020 

The quarterly scanning requirement has been rescinded for six months while Information Security explores alternatives to Data Loss Prevention (DLP) Highly Sensitive Data (HSD) scanning tools. 
This exception (EXCEPT0000200) only applies to new installations. Devices that already have Identity Finder (IDF) or other DLP software installed and running are required to continue to perform quarterly scans and remediate any HSD found, per the University of Data Protection Standard (UDPS) and other standards and procedures.

Please review the details of the exception and its compensating controls as well as the standards and procedures to which this exception applies.

Non-substantive change

In the Information Security Risk Management Standard and Procedure, under Purpose and Background, removed the phrase  "which includes updating the department’s mission, business continuity, and disaster recovery plans."   
 
In the University Data Protection Standard (UDPS): In the "Assessing and Managing Risk" table changed the phrase:
"The department must complete an IT security risk assessment, including updating the department’s mission, business continuity, and disaster recovery plans annually . . . "

to say : "and update".  The phrase becomes:  "The department must complete an IT security risk assessment and update the department’s mission, business continuity, and disaster recovery plans annually . . . "

All three of these changes were done to separate the requirement into two distinct requirements - completion of the IS-RM and update of the department’s mission, business continuity, and disaster recovery plans.  This clarifies that collection of a department's mission, business continuity, and disaster recovery plans is not part of Information Security Risk Management tool or process.

The Office of Emergency Management is responsible for the departmental mission, business continuity, and disaster recovery plans. They plan to put this requirement in their policy sometime in 2021. 
 

The Electronic Access Requirements (aka Electronic Access Agreement (EAA)) was revised to add:  "I will not use UVA IT resources to access or disclose the address, email address or phone number of a student unless I have a legitimate educational interest in that information." and the definition of "legitimate educational interest".

Also made non-substantitive changes to insure all applicable areas are listed, i.e., UVA-Wise, UVA Academic Division, UVA Medical Center, and UVA Physicians Group and make sure phrases are parallel between the online/html version (Electronic Access Requirements standard) and the Electronic Access Agreement (EAA) PDF version.
And updated the PDF of the EAA to be consistent with the online version. 

Questions and concerns should be directed to [email protected] 

Effective: November 5, 2020

This standard was substantially changed to a degree that it is not possible to list all the changes.  Reviewing the revised standard carefully is highly recommended 

Changed

• Revised Purpose and Background section to be simpler, shorter, more readable.
• Combined and revised the three sections

  • Security Requirements For Networked Devices,

  • Minimum Security Requirements For Uva Devices

  • Minimum Security Requirements For Personally-Owned Devices

       INTO new section: 
Security Requirements For All Network Connected Device and incorporated sub-sections Devices Accessing University Data and Individually Managed University Devices into this new section by revising the items into bulletted lists for clarity and ease of reference.

• Renamed and revised the section: Additional Security Requirements for UVA Devices and elevated and combined Centrally or Departmentally Managed University Devices sub-section to:
  Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
  • Items revised and made into bulletted lists for clarity and ease of reference.
• Elevated and revised sub-section, “Devices Accessing Regulated Information” to section called, Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data Regulated Data
• Devices that have exceeded end of life support need an approved exception.
• Changed UVA to University for consistency.

Added

Not all additions are listed. Again, reviewing the revised standard carefully is highly recommended. 

• Added new section: Additional Security Requirements for Email Services  
• Under Security Requirements for All Network Connected Devices: Devices are not modified to remove vendor provided security protections (e.g., jailbreak).

Removed 

Not all items removed are listed. Again, reviewing the revised standard carefully is highly recommended. 

• The Highly Senstive Data (HSD) Requirements section was removed.  The Use of HSD standard addresses these items.