Requesting a Review

Requesting a Review - OneTrust

Requesting an IT Compliance Review

Initiating an Information Security Compliance review (such as for a cloud vendor or a UVA-hosted application) is now really easy! Just follow the steps below.

1. Visit the UVA OneTrust Self Service portal [1]

2. Type in your UVA email address and click “Next” to login through Netbadge

3. Click on the grid icon at the top left of your screen

4. Select "Self-Service Portal"

5. If you are not sure what service you require, please click "Launch" on the "Review Request" tile. If you are specifically requesting a Third-Party Cloud Vendor review, please click "Launch" on the "Third Party Cloud Vendor Assessment" tile.

6. Complete the form and be sure to hit Submit. (If you are unable to submit, check all required fields are completed.)

7. Depending on the option you select, a second form may need to be completed. Please check your email for confirmation your request for a review (i.e. IRB-SBS Data Security Plan Review, Third Party Cloud Vendor Review) has been approved and additional work is waiting for you in OneTrust.

NOTE: When completing some fields, such as a vendor name or the vendor contact email, you may need to click "Add Option" beneath the text field after you finish typing.

Frequently Asked Questions

Under what conditions is a review required for a vendor?

Cloud vendors handling non-public UVA information generally must be reviewed. If you are uncertain whether or not a review is required in your case, check out our purchaser FAQ [2].

What do I need to know to complete the vendor onboarding form?

The most important pieces of information you will need to know are as follows: the name of the service, the name of the vendor providing the service, and an email address for a specific point of contact with the vendor.

What happens after I submit the vendor onboarding form?

An email will automatically be sent to the vendor contact email you provided. Be sure to notify your contact with the vendor that they will be receiving an email from OneTrust prior to submitting the form. This helps to keep the review on track.

My contact cannot find the email. Can you resend it?

Certainly! Email it-compliance@virginia.edu [3] and we can resend the email.

How long does the review process take?

This is largely dependent on the vendor. The IT Compliance team typically sends information requests back to the vendor within five business days of receiving the initial submission. In general, vendors with more mature Information Security practices tend to go through the review process more quickly than vendors without established Information Security practices.

Will I get an email once the review is complete?

Yes, although the next steps for your review will be dependent on the data and context. If the vendor you submitted is processing Highly Sensitive Data or has been designate as mission critical, then a sign off process may be necessary after the review (see the Vendor Security Review standard [4]). Otherwise, if no further steps are required, you and the vendor will receive an email indicating the outcome of the review.

How can I see my in progress or completed Self-Service Portal submissions?

When you login to OneTrust, you should see any in progress or completed Self-Service Portal submissions at the bottom half of your screen (below the Vendor Onboarding Form launch button).

I am using the portal to submit an initial (during Procurement) review. How should I give my vendor a heads up about the review?

Feel free to send them the template below. Just replace "[Vendor]" with the name of your vendor and send it off to your point of contact:

"I have been notified by our Information Security team that due to the data your service handles, a review is required by UVA policy. Our Information Security team has implemented a new process for conducting these reviews which allows for an easier and more secure means for transmitting documentation.

Requests for [Vendor]’s review will be sent from “UVA IT Compliance <noreply@m.onetrust.com [5]>” with the words “Assessment Assigned” in the subject line. The email will include information and instructions for completing the review.

UVA Information Security uses the Higher Education Cloud Vendor Assessment Tool (HECVAT) for reviews. If you organization already maintains a completed copy of the HECVAT, then you only need to complete through the Documentation section – then hit the button that says “Submit” at the bottom right. If you do not have an up to date HECVAT, then please complete the full form.

Please let me know if you are not the appropriate person to receive this request. Otherwise, thank you for your assistance in helping us to comply with the University’s Vendor Security Review Standard [4]."

I am using the portal to submit an SOC 2 review. How should I give my vendor a heads up about the review?

Feel free to send them the template below. Just replace "[Vendor]" with the name of your vendor and send it off to your point of contact:

"I have been notified by our Information Security team that it is time for our annual review of [Vendor]’s SOC 2 report or comparable information security document. Our Information Security team has implemented a new process for collecting and reviewing this report which allows for an easier and more secure means for transmitting documentation.

Requests for [Vendor]’s SOC 2 or comparable information security document will be sent from “UVA IT Compliance <noreply@m.onetrust.com [5]>” with the words “Assessment Assigned” in the subject line. The email will include information and instructions for completing the review.

To submit the SOC 2 type 2 report, you only need to complete questions 1.2 & 4.1 (with SOC 2 report upload) – then hit the button that says “Submit” at the bottom right. If you do not have a SOC 2 type 2 or comparable documentation, please complete the full form.

Please let me know if you are no longer the appropriate person to receive this request. Otherwise, thank you for your assistance in helping us to comply with the University’s Vendor Security Review Standard [4]."