Table of Contents
1. Purpose and Background
a) HSD on Individual-Use Devices or Media
b) Access to UVA systems with HSD
1) High Security VPN (HSVPN)
2) Health IT (HIT) VPN
c) Approvals Required for New Use of HSD
1) Who to contact?
2) Written Request Information
3) Completing approval
4. Related Links
5. Further Guidance
REVISION HISTORY: New 12/2/2022
1. Purpose and Background
The University of Virginia Data Protection of University Information (IRM-003) policy requires that all departments and users who access, collect, display, generate, process, store, or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures as well as federal and state laws and regulations, and contractual obligations to ensure the highest level of security and confidentiality is applied to HSD.
This procedure details the requirements that must be followed to safeguard HSD while engaging in any processes involving these data. This procedure applies to all who access, collect, display, generate, process, store, or transmit, highly sensitive data (HSD) on behalf of the University, in the Academic Division, the University of Virginia Health System, University of Virginia‘s College at Wise (Wise), and University Associated-Organizations (UAOs).
HSD on Individual-Use Devices or Media
Before highly sensitive data (HSD) can be stored on any individual-use electronic device or media approval for such storage must be granted. This requirement applies to the Academic Division, the College at Wise, University Associated-Organizations, and Health System users.
The Highly Sensitive Data Protection for Individual-Use Electronic Devices or Media standard provides information about requirements for the request and storage of HSD on an individual-use electronic device (e.g., laptop) or media (e.g., USB thumb drive), regardless of who owns the device or media.
Access to UVA systems with HSD
Any server, device, or system designed to be accessed by multiple users simultaneously that accesses, collects, displays, generates, processes, stores, or transmits highly sensitive data (HSD) must be on a network that:
- uses the UVA High Security Virtual Private Network (HSVPN), or
- uses the Health Information and Technology (HIT) Virtual Private Network (VPN) or
- has been reviewed and approved by the University Information Security office.
Both the UVA High Security Virtual Private Network (HSVPN) and the Health Information and Technology (HIT) Virtual Private Network (VPN) require the installation of assessment software that checks the security posture of the device each time it connects to the VPN. Below are the details for each UVA VPN.
High Security VPN (HSVPN)
- Audience: Any user accessing Highly Sensitive Data (HSD) on an academic resource.
- Example: Ivy Secure Environment
- UVA digital certificate (If you've connected to UVA WiFi on Grounds within the last few months, you likely have one.)
- Cisco AnyConnect client
- OPSWAT client
- Additional requirements for the High Security VPN
Health Information and Technology (HIT) VPN
- Audience: Health System users accesses restricted Health System resources.
- Example: EPIC
Approvals Required for New Uses of HSD
- Any new business process using any system or process that has not been previously reviewed by the University Information Security office for the collection, generation, transmission, display, processing, or storage of HSD;
- Any new business process or system that is mission critical; and/or
- Any new business process that involves engaging a third-party vendor who will access, collect, display, generate, process, store, or transmit HSD and/or provide services/systems that are mission critical must be approved prior to implementation. See the Vendor Security Review standard for details.
Who to contact
Anyone in the UVA Academic Division, the UVA’s College at Wise, or a University-Associated Organization (UAO) initiates a requests by emailing the University Information Security office to IT-Compliance@virginia.edu.
Anyone in the Health System initiates requests by emailing the Health Information and Technology Information Security office at MCCSecurity@hscmail.mcc.virginia.edu
Written Request Information
The written request must include the following information:
- Essential business need for the proposed use of HSD or mission critical service;
- Detailed description of how the HSD will be accessed, collected, displayed, generated, processed, stored, and/or transmitted, including any hardware or software involved;
- Name and contact information of both the requestor and a technical contact for the department/area.
- If a third-party vendor is used, a Service Organization Control 2 (SOC 2) Type II report must be submitted PRIOR to procurement as required by the Vendor Security Review Standard.
After initial approval by the appropriate Information Security office, the following approvals must be obtained before proceeding with the proposed use of HSD.
- Approval from the appropriate Data Trustee, Data Steward, or Deputy Data Steward who has responsibility for the HSD repository to be accessed.
- Approval of the vice president or dean responsible for the department making the request.
Approvals must be stored by the requestor and affiliated department for subsequent audit purposes.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Electronic Data Removal Procedure
- Health Information and Technology Virtual Private Network (VPN) standard
- Health Information and Technology VPN posture check requirements
- Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media
- Protection of Highly Sensitive Data Standard
- Records Management Policy
- University Data Protection Standards
- UVa Facilities Management Surplus Property
- UVa Procurement's Purchasing Terms and Conditions
- UVa Procurement's Data Protection addendum (PDF)
- UVa Procurement's Business Associate Addendum
- Vendor Security Review Standard
5. Further Guidance
- Taking your electronic device or media out of the USA: https://export.virginia.edu/faqs - answer002
- Leaving UVa - computer accounts and University-licensed software
- Faculty Departure Checklist: https://provost.virginia.edu/academic-policies/faculty-departure-checklist-pdf
- Staff Off-boarding Checklist: https://hr.virginia.edu/careers-uva/onboarding-offboarding
If you cannot meet this procedure’s requirements, you must use the policy exception request process.