I am interested in a new product or service. Does UVA Information Security need to review it?
According to the University Data Protection Standards 3.0, all suppliers handling Moderately Sensitive or Highly Sensitive Data must be reviewed by UVA Information Security before the product or service is purchased and/or used.
How do I know if the data is Moderately Sensitive Data or Highly Sensitive Data?
You can find specific examples of the data classifications in the University Data Protection Standards 3.0. If you are unsure about how to classify a particular data set, reach out to [email protected] and we can assist you in making that determination. Full definitions for UVA's data classifications are available in the University's Data Protection policy.
I need to have an Information Security review of my purchase. How do I request a review?
Email [email protected]. This will create a ticket in our system and will also ensure that our entire team of analysts can see and respond to your request.
NOTE: Do not submit a purchase requisition to PSDS until after the UVA Information Security review.
What will I need to give to Information Security for their review?
Information Security will always ask for a document called a "SOC 2", and the supplier will know what that means. It will save you some time if you go ahead and ask the supplier to provide this and have it ready when asked. This is particularly critical for prodcuts or services that will receive Highly Sensitive Data (see the External Assessment Review Procedure).
How long do reviews typically take?
This can vary depending on the responsiveness of the supplier. If a supplier is responsive and replies to requests for information and documentation in a timely fashion, then a review can take as little as five business days. On the other hand, if a supplier takes multiple weeks to reply to questions, a review could take much longer. Information Security reviews often require extensive back-and-forth, so the responsiveness of a supplier has a significant impact on the overall time it takes to perform a review. If you are working on narrow project timelines, then reach out to [email protected] as soon as you know the product or service you plan to buy.
Do I need to submit any documents to PSDS when I submit the requisition?
Yes, you will need to submit the Information Security approval document when submitting your requisition to indicate to PSDS that Information Security has already done the review. This document will also be used for auditing purposes.