Using Isora for Compliance Reviews

Why did we change our GRC tool?

To improve transparency and communication throughout the compliance review process, the UVA Information Security Compliance Team has transitioned from OneTrust to Isora. This new platform allows users greater visibility into each stage of the review, enabling them to check the status and track progress in real time. Additionally, Isora enhances collaboration by keeping users more closely involved in communications with vendors, ensuring a smoother and more interactive review experience. The following guide provides steps for accessing and using Isora to meet your compliance needs efficiently.

Do you need a Compliance Review?

According to the University Data Protection Standards 3.0, only vendors handling highly sensitive or mission critical data that is processed, stored, or transmitted in the cloud must be reviewed by UVA IT Compliance before the product or service is purchased and/or used.  Any vendor handling highly sensitive data must be reviewed annually.  In addition, when using new business cases for sharing data, business purposes, or contracts, a compliance review is required before procurement or implementation.  If you are still not sure if you need a compliance review, please contact the InfoSec Compliance Team at [email protected] for additional assistance.

You can explore our infographic on this topic here.

Accessing Isora

  1. Platform URL: Go to https://in.virginia.edu/it-compliance-portal. (To access the full menu of options for Isora, click here.)
  2. Login Requirements:  Use your UVA Netbadge credentials to log in.            
    (If you did not have access to the OneTrust GRC tool and have not yet accessed Isora, please refer to the "Requesting Access" section to initiate the necessary role for portal access.)
 

Requesting Access

First-Time Users: If you are new to Isora and have not previously accessed OneTrust, UVA's former GRC tool, please email [email protected]. Netbadge access is required before the necessary role can be assigned.

Returning Users: If you previously had access to OneTrust (the former GRC tool), you should be able to access the IT Compliance Portal using Netbadge. Roles have been pre-assigned to users who were active on the OneTrust platform.

 

Initiating a Compliance Review

Watch the tutorial below for a detailed, step-by-step walkthrough on initiating a compliance review in Isora. If you have any questions do not hesitate to contact us at [email protected].      
 

 How to Initiate a Cloud Vendor Review: 

 

 

What to Expect During the Process

Initial Assessment: After submitting your request, you’ll be responsible for notifying the vendor and providing them with a link to the assessment they need to complete. You’ll receive an email from [email protected] with a template to send to the vendor, explaining the assessment and providing access instructions.

Follow-Up Steps: You can log into the IT Compliance Portal at any time to check the status of your assessment request. The status will update to "Completed" once the vendor has submitted the necessary information.

Completion Timeline: Standard reviews typically take 1 - 2 business days after the vendor completes the assessment, though vendors requiring sign off may require additional time.

 

Frequently Asked Questions

Which vendors need a compliance review and how often should reviews be conducted?

All third-party vendors with access to UVA data, including cloud vendors and consultants, should undergo a compliance review. However, per the University Data Protection Standards 3.0, only vendors handling sensitive, highly sensitive, or mission-critical data are required to be reviewed by UVA IT Compliance before the product or service is purchased or used. Vendors handling highly sensitive data must also undergo an annual review, initiated by the department using the same process as an initial vendor review. Please note that even if a vendor review already exists in Isora, each department must still complete a separate review, as use cases and features may differ by department.

What happens after I launch the vendor assessment?
You will receive an email from [email protected] containing a template to notify the vendor about the required assessment. You can log into Isora to track the assessment's status. If the assessment remains incomplete after some time, consider following up with the vendor.  An Isora "How-To" page is available for vendors to assist with completing the assessment.  The link for this page is https://help.isora.saltycloud.com/en/articles/survey-questionnaire.   For any questions they may have about the Isora assessment, vendors can reach out to the InfoSec Compliance Team at [email protected].
How long does the review process take?

The timeline depends on the vendor. You can monitor the vendor’s progress by logging into Isora and may follow up with them directly regarding the status of the assessment. Vendors can direct any questions to [email protected]. In general, vendors with mature Information Security practices tend to complete the review process more quickly than those without established practices.  Do not hesitate to reach out to them after a week has passed.

Will I get an email once the review is complete?

Yes, although the next steps for your review will be dependent on the data and context.  If the vendor you submitted is processing Highly Sensitive Data or has been designate as mission critical, then a sign off process may be necessary after the review (see the Vendor Security Review standard).  Otherwise, if no further steps are required, you will receive an email indicating the outcome of the review.

How should I give my vendor a heads up about the review?

You’ll receive an email from [email protected] with a subject line similar to, “A <data classification> vendor assessment for <vendor name> has been launched.” This email will include instructions and a template you can use to notify your vendor about the upcoming review. The specific data classification and vendor name you provided when initiating the assessment will appear in place of the placeholders in the subject line.