Search This Site


Main menu

Substantive change: External Assessment Review Procedure now Vendor Security Review Standard

Tuesday, March 10, 2020 - 13:45

Effective February 12, 2020
The External Assessment Review Procedure has been revised based on feedback from a committee of stakeholders.  It is now a standard, named the Vendor Security Review Standard.
While it went from a procedure to a standard, most of the requirements from the procedure remain unchanged.  

---------  Read More  ---------------------

What was changed: 

1. Specify the timeframe around which a SOC 2 assessment or other external assessment is valid: The  vendor’s SOC 2 Type II report must cover a time period within 6-months of the request from UVA.  If the SOC 2 Type II report is not within six months of the date requested, then the vendor must provide a bridge letter.

2. Specify the criteria for a vendor's alternative (e.g.,., not a SOC 2) assessment and alternatives if no external assessment from the vendor is available (

3.  Change the Risk Review and sign-off to a table that more clearly delineates who must review and sign-off at each level risk assessment (high, medium, or low) (

4. Changes reviewed and approved by the Chief Information Officer (CIO), a change from the procedure which was approved by the Chief Information Security Officer (CISO).

References to the old, superseded, External Assessment Review Procedure, in other policies, standards, and procedures are being updated to the new Vendor Security Review Standard.

Questions and concerns should be directed to 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form