Effective February 12, 2020
The External Assessment Review Procedure has been revised based on feedback from a committee of stakeholders. It is now a standard, named the Vendor Security Review Standard.
While it went from a procedure to a standard, most of the requirements from the procedure remain unchanged.
--------- Read More ---------------------
What was changed:
1. Specify the timeframe around which a SOC 2 assessment or other external assessment is valid: The vendor’s SOC 2 Type II report must cover a time period within 6-months of the request from UVA. If the SOC 2 Type II report is not within six months of the date requested, then the vendor must provide a bridge letter.
2. Specify the criteria for a vendor's alternative (e.g.,., not a SOC 2) assessment and alternatives if no external assessment from the vendor is available (https://security.virginia.edu/vendor-security-review-standard#2.2)
3. Change the Risk Review and sign-off to a table that more clearly delineates who must review and sign-off at each level risk assessment (high, medium, or low) (https://security.virginia.edu/vendor-security-review-standard#3%20Risk).
4. Changes reviewed and approved by the Chief Information Officer (CIO), a change from the procedure which was approved by the Chief Information Security Officer (CISO).
References to the old, superseded, External Assessment Review Procedure, in other policies, standards, and procedures are being updated to the new Vendor Security Review Standard.
Questions and concerns should be directed to IT-Policy@virginia.edu